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Abstract 

Schneider [1] demonstrates that many fault -tolerant clock synchronization 
algorithms can be represented as refinements of a single proven correct 
paradigm. Shankar [2] provides a mechanical proof (using Eh DM [3]) that 
Schneider’s schema achieves Byzantine fault-tolerant clock synchronization 
provided that eleven constraints are satisfied. Some of the constraints are 
assumptions about physical properties of the system and can not be estab- 
lished formally. Proofs are given (in Eh DM ) that the fault- tolerant midpoint 
convergence function satisfies three of these constraints. This paper presents 
a hardware design, implementing the fault-tolerant midpoint function, which 
will be shown to satisfy the remaining constraints. The synchronization cir- 
cuit will recover completely from transient faults provided the maximum 
fault assumption is not violated. The initialization protocol for the circuit 
also provides a recovery mechanism from total system failure caused by cor- 
related transient faults. 
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1 Introduction 


NASA Langley Research Center is currently involved in the development of 
a formally verified Reliable Computing P la t form (RCP) for real-time digital 
flight control systems [-4, 5. (>]. An often quoted requirement for critical sys- 
tems employed for civil air transport is a probability of catastrophic failure 
less than 10“ 9 for a 10 hour flight [?]. SinceTalTure rates for digital devices 
are on the order of 10 -,i per hour [S], hardware redundancy is required to 
achieve the desired level of reliability. W hile there are many ways of incor- 
porating redundant hardware, the approach taken in the RCP is the use of 
identical redundant channels with exact match voting (see [4, 5] and [6]). 

A critical function lit a fault -tolerant system is that of synchronizing 
the docks of the redundant computing elements. The clocks must be syn- 
chronized in order to provide coordinated action among the redundant sites. 
Although perfect synchronization is not possible, clocks can be synchronized 
within a small skew. The purpose of this work is to provide a mechanically 
verified design of a fault -tolerant clock synchronization circuit. 

The fault-tolerant clock synchronization circuit is intended to be part 
of a verified hardware base for the RCP. The primary intent of the RCP is 
to provide a Verified fault-tolerant system which Is proven to recover from 
3 bounded number of transient faults. Tile current model of the system 
assumes (among Other things) that the clocks are synchronized within a 
bounded skew [5j. It Is crucial that the clock synchronization circuitry also 
be able to recover from transient faults. Originally, Lamport and Melliar- 
Sniith's Interactive Convergence Algorithm (ICA) [9] was to be the basis 
for the clock synchronization hardware, the primary reason being the ex- 
istence of a mechanical proof that the algorithm is correct [10]. However, 
modifications to ICA to achieve transient fault recovery are unnecessarily 
com plicated. The fault -tolerant midpoint algorithm of [11] is more readily 
adapted to transient recovery. 

The synchronization circuit is designed to tolerate arbitrarily malicious 
pefm&itfent, intermittent and transient hardware faults. A fault is defined 
as a physical perturbation altering the function implemented by a physical 
device. Intermittent faults are permanent physical faults which do not con- 
stantly alter the function of a device (e.g. a loose wire). A transient fault is 
a 6fle shot short duration physical perturbation of a device (e.g. caused by 
a cosmic ray of Other electromagnetic effect). Once the source of the fault 
is fgffiOVed, the device can function correctly. 

Most proofs of fault-tolerant clock synchronization algorithms are by 
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induction on the number of synchronizat ion intervals. Usually, the base 
rase of the induction, the initial skew, is assumed. The descriptions in 
[1. 2. 9. 10] all assume initial synchronization with no mention of how it 
is achieved. Others, including [11, 12. 13] and [14] address the issue of 
initial synchronization and give descriptions of how it is achieved in varying 
degrees of detail. In proving an implementation correc.t. the details of initial, 
synchronization cannot be ignored. Ifjjie initialization schem e is robust 
enough, it can also serve as a recovery mechanism from multiple correlated 
transient failures (as is noted in [14]). ^ - 

Schneider [l] demonstrates that many fault-tolerant clock synchroniza- 
tion algorithms can be represented as refinements of a single proven correct 
paradigm. Shankar [2] provides a mechanical proof (using Ehdm [3]) that 
Schneider's schema achieves Byzantine fault-tolerant clock synchronization, 
provided that eleven constraints are satisfied. Some o f the con straints are 
assumptions about physical properties of the sy stem and can not b e e s- 
tablished formally. This paper proposes a h ardw are solution to the clo ck 
synchronization problem which wiD be shown to satisfy the remaining con- 
straints. , , . « in 2V- f 

This paper discusses preliminary results in the verific ation of the de- 
sign. The fault-tolerant midpoint function is formally prov en (i n Ehdm ) to 
satisfy the properties of translation invariance, precisio n e nhancement, and 
accuracy preservation. 1 A register transfer level design is presented which 
implements the synchronization algorithm. An argu men t for tr ans ient re- 
covery from a single fault is presented and issues relating to the more general 
case are raised. Finally, the approach for achieving initial synchronization 
is discussed. The notation used here is from Shankar [2], 

2 Description of the Reliable Computing Plat- 
form 

This section summarizes the key details of the Reliable Computing Platform 
to establish a context for the clock synchronization circuit. It is included 
here for completeness. The material in this section is paraphrased from 
Butler and DiVito [5]. The interested reader should consult [5] for more 
detailed information. 

'These properties will be defined in the section describing the fault-tolerant midpoint 
convergence function. 
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Figure 1: Hierarchical Specification of the Reliable Computing Platform. 

NASA-Langley is currently involved in the development of a formally 
verified Reliable Computing Platform for real-time control [4, 5]. A pri- 
mary goal is to provide a fault-tolerant computing base that appears to 
the application programmer as a single ultra-reliable computer. To achieve 
this, it is necessary to conceal implementation details of the system. Some 
characteristics of the system are as follows [5]: 

• "‘the system is non-reconfigurable 

• the system is frame- synchronous 

• the scheduling is static, non-preemptive 

• internal voting is used to recover the state of a processor affected by 
a transient fault” 

A hierarchy of models is introduced which provides different levels of ab- 
straction (figure 1, taken from [5]). The top level is the view presented 
to the applications programmer, i.e. an ultra-reliable uniprocessor system. 
The details of fault -tolerance are introduced in the lower levels. The next 
two levels, replicated synchronous and distributed synchronous, introduce 
the redundancy and voting required for fault -tolerance, but assume perfectly 
synchronized clocks and an interactive consistency network for reliable dis- 
tribution of single source data. The fourth level, distributed asynchronous, 
weakens the assumption of perfect synchrony to one where the clocks are syn- 
chronized to within a bounded skew. The details of the hardware/software 
implementation have yet to be worked out. An abstract view of the assumed 
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Figure 2: Generic Hardware Architecture 

hardware architecture is given in figure 2 (from [5]). The clock synchro- 
nization circuit presented here is intended to serve as part of the verified 
hardware base at the lowest level of the hierarchy. 


3 Clock Definitions 

This section introduces the notation and assumptions used in Shankar’s 
proof and is largely taken from sections 2.1 and 2.2 of [2]. The conditions 
enumerated here provide the formal specification for the clock synchroniza- 
tion circuit. 
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PC,,(t) 

The reading of //s physical clock at real time /. 

vc p (/) 

Tlie reading of //s virtual dock at time /. This 
is (he logical time used by the system. 

i(" P (n 

The reading of // s ith interval clock at real time t 
(Only sensible if V v < /). 

>r 

The real time that processor p begins the / tli 
synchronization inter val . 

«dj], 

Cumulative adjustment to ;/s physical clock up 
to and including /J,. 

% 

An array of dock readings (local to p) such that 
(for ? >0) 0J ,(</) is p' s reading of q s clock at i l p . 

cfn(p. ©{,) 

Convergence function executed by p to establish 
correct 1T' P (/ P ). 


Table 1: Clock Notation 

3.1 Shankar’s Notation 

In general, clocks will be represented by different abstractions. Each redun- 
dant clock will incorporate a physical oscillator which marks passage of time. 
Each oscillator will drift with respect to real time by a small amount. Phys- 
ical clocks derived from these oscillators will similarly drift with respect to 
each other. The purpose of a clock synchronization algorithm is to make pe- 
riodic adjustments to local (virtual) clocks to keep redundant clocks within 
a bounded skew of each other. This periodic adjustment makes analysis 
difficult, so an interval clock abstraction is used in the proofs. This interval 
clock is indexed by the number of elapsed intervals since the beginning of 
the protocol. An interval corresponds to the elapsed time between adjust- 
ments to the virtual clock. The proof that synchronization is maintained is 
by induction on intervals. 

Table 1 introduces the notation for the key elements required for a ver- 
ified clock synchronization algorithm. Shankar outlines the following set of 
relationships between these values, 

«df p + ' = cfn(p,0'+')-PC p (1' p + ') 

adf p = 0 

IC' P (1) = PC p (t) + ndf p 
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vc p (t) = rep), for v r <K r p + ' 

presuming the presence of PC and 1 C . with an abstraction for IC used in 
the proofs. The following can be simply derived. 

rcy^ 1 ) = = 

rcf'd) = cfn(p.Q^) + PC p (1)~ PC p (1' p +1 ) 

Using these equations and the eleven conditions outlined in the next section, 
Shankar mechanically verified Schneider s paradigm. Some of the conditions 
will need to be modified in order to reason about transient recovery. It will 
then be necessary to rerun the Ehdm proofs of the main theorem of [2] 
(below). 

Any implementation which satisfies the constraints in Shankar's report 
will provide the following guarantee. 

Theorem 1 (bounded skew) For any two clocks p and q that arc non - 
faulty at time t, 

\VC p (t)-YC q d)\<(> 

That is, the difference in time observed by t wo n o n-faulty clo cks is 
bounded by a small amount. This gives the leverage needed to reliably 
build a fault-tolerant system. The next section enumerates the conditions 
to be met to guarantee this result. 

3.2 Shankar’s Conditions 

The first condition is initial skew, 6 S * which is a bound on the difference 
between good clocks at the beginning of the protocol. 

Condition 1 (initial skew) For nonfaulty processors p and q 

|PC p (0) - PC 9 (0)| < h 

The rate at which a good clock can drift from real-time is bounded by a 
small constant p. 2 

J Notice that in this formulation a good clock must have been good continually since 
time 0. This condition will need to be modified in order to reason about recovery from 
transient faults. 
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Condition 2 (bounded drift) Th<r< is a nonnegafivc constant p such 
that if chx'k p is mm faulty at trnu > /, then 

(1 _ />)(*-/) < PCp(s) - PC p (t) < (1 +/>)(*- /) 


Shankar notes the following corallary to bounded drift which limits the 
amount two good clocks can drift with respect to each other during interval 
from / to s. 


I PC P (s) - PC q (s)\ < I PC p (1)~ PC q (1)} + '2p(s - n 

The next four conditions describe some constraints upon the synchro- 
nization interval as related to initial conditions of the protocol. 

Condition 3 (bounded interval) For nonfaulty clock p 

0 < r min — “ tp 5* T'max 

Condition 4 (bounded delay) For nonfaulty clocks p and q 

i*; - < & 

Condition 5 (initial synchronization) For nonfaulty clock p 

1° p = 0 

Since we do not want process q to start its ( i + l)th clock before process 
p starts its 7th we state a nonoverlap condition 

Condition 6 (nonoverlap) 

/ 3 ^ r min 

This, with bounded interval and bounded delay , ensures that for good 
clocks p and q , 1' p < t ' g +i . 

All clock synchronization protocols require each process to obtain an 
estimate of the clock values for other processes within the system. Error in 
this estimate can be bounded, but not eliminated. 
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Condition 7 (reading error) For nonfavlty clocks p and q 

|/c''(/' +, )-0;+ , (9)i< a 

There is bound to the number of faults which can be tolerated 3 


Condition 8 (bounded faults) At any linn 1. the number of faulty 
processes is at most F. 


For the purpose of t he algorithm presented here, we will assume that the 
number of clocks, A 7 , satisfies the inequality A > 3F + 1. 

Synchronization algorithms execute a convergence function cfn{p . 9) which 
must satisfy the conditions of translation invariance , precision enhancement , 
and accuracy preservation irrespective of the physical constraints on the sys- 
tem. Shankar mechanically proves that Lamport and MeDiar- Smith s Inter- 
active Convergence function [9] satisfies these three conditions. The next 
section defines these conditions in the context of the fault -tolerant midpoint 
function used by Welch and Lynch [11]. 

4 Fault-Tolerant Midpoint as an Instance of Schnei- 
der’s Schema 

The convergence function for the implementation described here Is the fault- 
tolerant midpoint used by Welch and Lynch in [11]. The function consists of 
discarding the F largest and F smallest clock readings, and then determining 
the midpoint of the range of the remaining readings. Its formal definition is 

, , fyr+1) + O(N-F) 

cf n MID(P' 0) - 2 

where #( m ) returns the mth largest element in 0. This formulation of the 
convergence function is different from that used in [11]. A proof of equal- 
ity between the two formulations is not needed since it is shown that this 
formulation satisfies the properties required by Schneider’s paradigm. 

9 This condition will need to be changed to “the number of processes not working 
where working will be a predicate analogous to the one used in [4, 5]. This is necessary 
for reasoning about recovery from transient failures. 
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This section presents informal proofs that cfnm jp(p.ff) satisfies the de- 
sired properties. The Ehdm proofs are presented in the appendix and as- 
sume that there is a deterministic sorting algorithm which arranges the 
array of clock readings. This assumption will need to be discharged when 
the implementation is verified. 

The properties presented in this section are applicable for any clock 
synchronization protocol which employs the fault -tolerant midpoint conver- 
gence function. All that will be required for a verified implementation is a 
proof that the function is correctly implemented and proofs that the other 
conditions have been satisfied. 

4.1 Translation Invariance 

Translation invariance states that the value obtained by adding x to the 
result of the convergence function should be the same as adding x to each 
of the clock readings used in evaluating the convergence function. 

Condition 9 (translation invariance) For any function 0 mapping 
clocks to clock values, 

cfn(p.(\n : 9(n) + x)) = cfn(p,9) + x 


Translation invariance is evident by noticing that for all m: 

' (A 1 : 0(1) + x) (m) = 6 {m) + x 

and 

(0(F+1) +-T) + + r ) _ fl(F+ l) + OjS’-F) 

.. 2 ~ 2 

4.2 Precision Enhancement 

Precision enhancement is a formaliza t ion of the concept that, after executing 
the convergence function, the values of interest should be closer together. 
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Condition 10 (precision enhancement) Given any subnet C of the 
N clocks with |C| > ;V - F, and clocks p and q in C, then for any 
readings and 0 satisfying the conditions 

1. for any l in C\ b(/)— 0(/)| < •»' 

2. for any l, m in C. |-)(/) — 7 (»»)| < y 
S. for any /, m in C. \ 0(1) - #(m)| < V 

there is a bound ~(.r. y) such that 

| c/n(;»o)- efn(q.0)\ < v{x.y) 


Theorem 2 Precision Enhancement is satisfied for cfnMw(P^) */ 

F(x,y) = | + * 


One characteristic of cfn\no(p , d) is that it is possible for it to use 
readings from faulty clocks. If this occurs, we know that such readings 
are bounded by readings from good clocks. The next few lemmas establish 
this fact. To prove these lemmas it was necessary to develop a pigeon hole 
principle. 

Lemma 1 (Pigeon Hole Principle) If N is the number of clocks in the 
system, and C\ and d are subsets of these N clocks. 

Id I + Idl > N + k D Id n dl > k 

This principle greatly simplifies the existence proofs required to establish 
the next two lemmas. First, we establish that the values used in computing 
the convergence function are bounded by readings from good clocks. 

Lemma 2 Given any subset C of the N cletcks with |C| > N — F and any 
reading 0 . there exists a p.q € C such that, 

0(p) > ^(F+l) @[N -F) ^ 0(</)) 
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Proof: By definition. \{p : 0(p) > 0„. + l) }| > F+l (similarly. \{q : > 

0(<y)}| > F+l). The conclusion follows immediately from the pigeon hole 

principle. " 

Now we introduce a lemma that allows us to relate values from two 
different readings to the same good clock. 

Lemma 3 Given any subset C of the A clocks with |C | > A — F and 
readings 0 and 1 . there exists a p 6 C such that , 

9{p) > 0{K-F) an( l ” (F+l) t 7 (7')- 

Proof: Recalling that N > 3F + 1. we can apply the pigeon hole principle 
twice. First to establish that |{/> : 0(p) + ^(A'-F)} Ft C | > F + 1, and then 
to establish the conclusion. • 

A immediate consequence of the preceding lemma is that the readings 
used in computing cfnm jp(p, 0) bound a reading from a good clock. 

The next lemma introduces a useful fact for bounding the difference 
between good clock values from different readings. 

t 

Lemma 4 Given any subse t C of the N clocks, and clock readings 0 and 7 
such that for any / in C\ the bound |0(/( — 7(/)| < x holds, forall p.q € C . 

0{p) > 9(g) A 1(g) > 7(p) 3 \0(p) - 7fa)| < x 

Proof: By cases, 

• If 0(p) > 7(9), then |0(p) - 7(9)1 < |0(p) - 7(p)| < * 

. If 8(p) < 7(9), then |0(p)-7( 9 )j < |^(^) — 7(9)1 < J 


This enables us to establish the following lemma. 

Lemma 5 Given any subset C of the N clocks, and clock readings 6 and 
7 such that for any I in C, the bound |0(/) — 7(/)| < x holds, there exist 
p.q 6 C such that, 

0(P) > 0(F+1), 

7 ( 9 ) > 7 ( F+1 ), and 

|*(p)- 7(9)1 < *■ 
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Proof: We know from lemma 2 that there are pi , 91 € C that satisfy the 
first two conjuncts of the conclusion. There are three cases to consider: 

• If 7(pj ) > 7(9! ). let p = 9 = pi- 

• If 6(qi ) > 0(pi ), let p = q = q\. 

• Otherwise, we have satisfied the hypotheses for lemma 4, so we let 
P = Pi and 9 = 91. 


We are now able to establish precision enhancement for cfnsnD^P- 0) 
(Theorem 2). 

Proof: Without loss of generality, assume cfn MID (p, 7) > cfnMiuiq.B). 

\cfn MJ D(p,l) - cfn\ni){q.B)\ 

_ ^(F+D+^A'-F) g (F-H)+^(A : -F) | 

_ |7(f- h)+ 7 (Jv-f)-(^(F-h)+^(a , -F))I 

— 2 

Thus we need to show that .- .'r:', 

|^(F+l) + 7(N-F) - (^(F+l) + 0(A‘-F))l < y + 2x 

By choosing good clocks p.q from lemma 5, pi from lemma 3, and 91 from 
the right conjunct of lemma 2, we establish E ; : 

|7(F+1) + 7(N-F) - (0(F+1) + ^(JV-F|)I 

= | X?) + (tf(p) - 0(P)) + f{pi)~ 0(Pi) ~ *(9i)| 

< 1 6{p) ~ B{q x )| + |7( 9 ) - *(p)| + |7(pi) - <?(pi )| 

< y + 2x (by hypotheses and lemma 5) 


4.3 Accuracy Preservation 

Accuracy preservation formalizes the notion that there should be a bound 
on the amount of correction applied in any synchronization interval. 
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Condition 11 (accuracy preservation) Given any subnet C 1 of the 
A clocks with \C\ > A — F, and dork tradings 0 such that for any / and 
m in C* tin htmnd \9(I) — 9(m)\ < .?• holds . then is a bound n(.r) such 
that for any g in C 

\cfn(p. 8) - 9(q ) | < o(.r) 


Theorem 3 Accuracy pntxri'at ion is satisfied for cfv mi pip-G) tf a (x) = x - 

Proof: Begin by selecting p\ and (p using lemma 2. Clearly. Q(p\ ) > 
c f n MlD(p-0) and cfiiMjpip.O) > 8[<ji ). There are two cases to consider: 

• If#!'/) < cf n MlD(V'Q)' k/» } A//D(p-^)-^(9)| < |0(7'i)-0(<f)l < *• 

• If 9(q) > cf»su D (pJ). then \efn 4 \f i D (p,6) - 8{q)\ < \9((p ) - 8{q)\ < x. 


4.4 Eh DM Proofs of Convergence Properties 

This section presents the important details of the Ehdm proofs that cfn t \i jp(p. 9 ) 
satisfies the convergence properties. In general, the proofs closely follow the 
presentation given above. The Ehdm modules used in this effort are listed in 
the appendix. One underlying assumption is that N > 3F+ 1. This is a well 
known requirement for systems to achieve Byzantine fault-tolerance without 
requiring authentication. Another assumption added for this effort states 
that the array of clock readings can be sorted. Additionally, a few prop- 
erties one would expect to be true of a sorted array were assumed. These 
additional properties used in the Ehdm proofs are (from module clocksort): 

funsort.ax: Axiom 

i < j A j < N D t/(funsort( »?)(/)) > d(funsort(d )(_?')) 

funsort.trans.inv: Axiom 

k < N D (d(funsort(( A q : 9(q)+ X))(k)) = tf(funsort(tf)(&))) 

cnt.sort.geq: Axiom 

k < N D count(( A p : i)(p) > tf(funsort(d)(A:))), N) > k 

cnt.sort.leq: Axiom 

k < N D count(( A p : t?(funsort(d)(A-)) > d(p)), N)> N - k + \ 
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These properties will be proven in the context of the design. 

A few of the given modules are taken from Shankar's proofs [2]. These 
include the arithmetic modules (absmod, multiplication, and division), dock- 
assumptions. and countmod. With the exception of countmod these modules 
were unaltered. A number of lemmas were added to (and proven in) module 
countmod. The most important of these is the aforementioned pigeon hole 
principle. In addition, lemma count.complement was moved from Shankar's 
module ica3 to countmod. Shankar's complete proof was re-run after the 
changes to ensure that nothing was inadvertently destroyed. Future efforts 
will likely require additional modifications to Shankar's modules. 

The induction modules, natinduction and noetherian. were taken from 
Rushby's transient recovery verification [6]. The standard induction schema 
was modified to syntactically match that used by Shankar. In addition, a 
lemma was added for complete induction over the natural numbers. The 
remaining modules were generated in the course of this verification. 

The appendix contains the proof chain analysis for the three properties 
stated above. The proof for transla tion invariance is in module mid, precision 
enhancement is in mid3, and accuracy preservation is in mid4. 

5 Proposed Verification 

This section describes the proposed verification that the circuit correctly 
implements the convergence function. First an informal description of the 
circuit is given, and then the verification plan is discussed. This design 
assumes that the network of clocks is completely connected. 

5.1 Informal Description — - — 

As in other synchronization algorithms, this one consists of an infinite se- 
quence of synchronization intervals of duration ^ R. For the time being, 
we will presume the constraints listed above. It is assumed that all good 
clocks know the index of the current interval (a simple counter is sufficient, 
provided that all good channels start the counter in the same interval). The 
major concern is when to begin the next interval. For this we require read- 
ings of the other clocks in the system, and a suitable convergence function. 
As stated above, the selected convergence function is the fault-tolerant mid- 
point. 

In order to execute the convergence function to start the ( i + l )th interval 
clock, we need an estimate of the other processes clocks when local time is 
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(i + 1 )ff (according to IC\,(t)). Our estimale. 0'+ 1 - of oilier clocks is 

0j, + 1 (ty) = ( 1 4' 1 ) ff + [Q ~ ( ,( Ipq ) ) 

where 1 pq is the time that p receives the signal from </. and LC is a local 
counter measuring elapsed time since the beginning of the current inter- 
val. All clocks participating in the protocol know to send t heir signal when 
LC‘,(t) = Q. The value (Q - LC' p (1 p<l )) gives the difference between when 
the* local clock expected the signal and when it observed a signal from q. 
The reading is taken in such a way, that simply adding the value to the 
current time gives an estimate of the oilier processors clocks at that instant 
(modulo any effects from drift). 

If the local processor ]> reads its clock at time t it will receive the pair 
( j LC\( 0 )• This reading gives the duration of time since the beginning of 
the protocol. The correct interpretation is \'C p (t) = i R + LC' p (t). Thus 
the reading of the virt ual clock just before p resets its registers for the ith 
interval will be iff + c/it A j/p(p,(A</.0;,( 9 ) - iff )). Notice that translation 
invariance allows the computation of the convergence function based solely 
on (A q.(Q - LC" p {1 pq ))). 

Figure 3 presents an informal block model of the proposed clock syn- 
chronization circuit. The circuit consists of the following components. 

• N pulse recognizers (only one pulse per clock is recognized in any given 
interval), 

• a pulse counter (triggers events based upon pulse arrivals), 

• a local counter LC (measures elapsed time since beginning of current 
interval). 

• an interval counter (contains the index i of the current interval), 

• one adder for computing the value — (Q — LCp(t P q)), 

• one register each for storing —0^p + j) and — 0(jv_.F), 

• an adder for computing the sum of these two registers, and 

• a divide- bv-'2 component. 

The pulses are already sorted by arrival time, so it is natural to use a pulse 
counter to select the time-stamp of the (F+ l)th and the (A r - F)th pulses 
for the computation of the convergence function. As stated previously, all 
that is required is the difference between the local and remote clocks. Let 
0 = (A </.0j, +1 (</)-(t+ 1 )F). When the F+ 1st (N - Fth) signal is observed, 
register -0 (F +\) ( clocked, saving the value -(Q-LC'^t)). After 
N - F signals have been observed, the multiplexer selects the computed 
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convergence function instead of Q. VVlien LC' f ,(t) — ( — (‘fiiM id(P- (&))) = R 
it is time to begin the /" + 1st interval. To do this, all that is required is 
to increment / and reset LC to 0. The pulse recognizers, multiplexer select 
and registers are also reset at this time. 


5.2 Correctness Criteria 

First, the RTL description will be entered in the Ehdm specification lan- 
guage. and then Ehdm will be used to prove that RTL description correctly 
implements cfti^/ ip(p.6). Each block in the informal model will be decom- 
posed into normal hardware components such as registers, arithmetic logic 
units, multiplexors, and standard logic components. A functional descrip- 
tion will be given for each device, and t heir composition will be shown to 
implement the fault -tolerant mid-point convergence function. This part of 
the verification will assume the properties of read error, bounded drift, and 
initial synchronization. Any assumptions about the convergence function 
used in the proofs of translation invariance, precision enhancement, or ac- 
curacy preservation need to be discharged at this level. 

6 Transient Recovery 

The argument for transient recovery capabilities hinges upon the following 
observation: 

As long is then is power to the circuit and no faults an present, 
the circuit trill execute the algorithm. 

Using the fact that the algorithm executes continually, and that pulses can 
be observed during the entire synchronization interval, we can establish 
that up to F transiently affected channels will automatically reintegrate 
themselves into the set of good channels. 

We will break the discussion down into cases: First, the simple case 
when F — 1, and then the more general case for F > 1. Remember that 
N > 3 F + 1. The reason two cases are considered is that only a simple 
modification to the hardware is required to guarantee reintegration when 
F = 1; the more general case require more inventive techniques. 


17 



6.1 Single Fault Scenario 

The only modification required is that the synchronization signals include 
the sender's value for i (the index for the current synch interval). By virtue 
of the maintenance algorithm the A — 1 good clocks are synchronized within 
a bounded skew /> < R. Suppose the recovering clock observes N - 1 pulses 
within ft + *2 A: it will chose two of these good values for computing the 
convergence function and a simple vote of the received interval indices will 
restore correct time to a. lost process. 

There is a possibility that the readings from the good clocks will straddle 
the frame boundary. The recovering clock will be ignored in the computa- 
tions of the good channel, and it should adjust its own clock such that in its 
next interval, it will see all of the good clocks. If the window is symmetric 
(i.e. Q = Rj'2). it is possible that the recovering channel will compute no 
correction and will remain unsyncliromzed. However, if the window is asym- 
metric, a split at the boundaries will cause a recovering process to compute 
sufficient correction to push it into a region where it will see all the good 
clocks in the same interval. Thus. Q should be selected so that the window 
is asymmetric (i.e. Q ^ R/2). 

6.2 General Case 

When F > 2 the problem becomes more complicated. As above, if the 
recovering clock observes N - F pulses within f> + 2A, it will restore its 
synchrony via the convergence function and a vote of the received interval 
indices. However, if the good clocks straddle the boundary, the additional 
faulty clock(s) can prevent any adjustment from being computed on the 
recovering clock. It is likely that recovery cannot be guaranteed unless a 
timeout me chan ism is added. L . 

6.3 Comparison with Other Approaches ^ i - 

A number of other fault-tolerant clock synchronization protocols allow for 
restoration of a lost clock. The approach taken here is very similar to that 
proposed by Welch and Lynch [11], They propose that when a process awak- 
ens, that it observe incoming messages until it can determine which, round is 
underway, and then wait sufficiently long to ensure that it has seen all valid 
messages in that round. It can then compute the necessary correction to 
become synchronized. Srikanth and Toueg [12] use a similar approach, mod- 
ified to the context of their algorithm. Halpern et al. [13] suggest a rather 
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complicated protocol which requires explicit cooperation of other clocks in 
the system. It is more appropriate when the number of clocks in the system 
varies greatly over time. All of these approaches have the common theme, 
namely, that the joining processor knows that it wants to join. This implies 
the presence of some diagnostic logic or timeout mechanism which tiiggers 
the recovery process. The approach suggested here happens automatically. 
By virtue of the algorithm's execution in dedicated hardware, there is no 
need to awaken a process to participate in the protocol. The main idea is for 
the recovering process to converge to a state where it will observe all other 
clocks in the same interval, and then to restore the correct interval counter. 


7 Initial Synchronization 

If we can get into a state which satisfies the requirements for precision 
enhancement: 

Given any subset C of the N clocks with \C\ > N - F, and clocks p and q 
in C, then for any readings 7 and 6 satisfying the conditions 

1. for any / in C. (">(/) — #(0| < T 

2. for any l. m in C. b(/) - 7( n, )l ^ V 

3. for any /, m in C, \0(l) - 0(m)| < V 

there is a beiund k(t , y) such that 


| cfn( p, 7 ) - cfn(epfi)\ < ?r(x,y) 

where y - R/2 and r is the normal value ( « 2A), the above circuit will con- 
verge to wit hin fis in approximately log 2 ( JZ/2) intervals. Byzantine agree- 
ment will then be required to establish a consistent interval counter. It will 
be necessary to ensure that the clocks converge to a state satisfying the 
above constraints. 


7.1 Mechanisms for Initialization 

In order to ensure that we reach a state which satisfies the above require- 
ments, it is necessary to identify possible states which violate the above 
requirements. Such st ates would happen due to the behavior of clocks prior 
to the time that enough good clocks are running. In previous cases we knew 
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we bad a set C of good dorks with |C| > A' - F. This means that there 
were a sufficient number of clock readings to resolve fyr+i) ai, d This 

may not be the case during initialization. We need to determine a course of 
action when we do not observe N - F clocks. Two plausible options are to 

1. pretend all clocks are observed to be in perfect synchrony, or 

2. pretend that unobserved clocks are observed at the end of the interval 
(i.e. (LCjtilpg) - Q) = (R- Q))- Compute the correction based upon 
this value. 

Both options will be explored. The first option is simple to implement 
because no correction is necessary. When 1C = R, s et b oth / and LC 
to 0. and reset the circuit for the next interval. To implement the second 
option, perform the following action when LC — R: if fewer than N — F 
(F + 1) signals are observed, then enable register — (— 0(F+1))- This 

will cause the unobserved readings to be (7? — Q ) which is equivalent to 
observing the pulse at the end of an interval of duration Rl 

It will be necessary to define a convergence stair (ala [15]) for scenarios 
that don’t converge by default. 

7.2 Comparison to Other Approaches 

Most of the comments concerning the approach to transient recovery are 
applicable here as well. This approach for achieving initial synchronization 
differs from most methods in that it first synchronizes the interval clocks, 
and then it decides upon a value for the current interval. Techniques in [11], 
[12], and [13] all depend upon the good clocks knowing that they wish to 
initialize. Agreement is reached among the clocks wishing to join, and then 
the protocol begins. The approach taken here seems closer to that used in 
[14], however, details of their approach are not giveii. 


8 Concluding Remarks 

Clock synchronization provides the cornerstone of any fault -tolerant com- 
puter architecture. To avoid a single point failure it is imperative that each 
proc essor maint ain a local clock which is perio dica lly resynchronized with 
other clocks in a fault - tolerant manner. D ue to subtleties involved in reason- 
ing about interactions involving misbehaving components, it is necessary to 
prove that the clock synchronization function operates correctly. Shankar 
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[2] provides a mechanical proof ( using Eh DM [3]) t hat Schneider's gener- 
alized protocol [1] achieves Byzantine fault -tolerant clock synchronization, 
provided that eleven constraints are satisfied. Shankar s work provides the 
formal specification of the proposed verified design. 

The fault -tolerant midpoint convergence function has been proven (in 
Eh DM ) to sat isfy t he propert ies of translation invariance, precision enhance- 
ment. and accuracy preservation. These proofs are reusable in the verifica- 
tion of any synchronization algorithm which uses the same function. An 
informal design of a circuit to implement this function has been presented. 
Future efforts will focus on formalizing this design and proving the addi- 
tional required properties from it. A register transfer level description of 
the design will be expressed in the specification language of Ehdm. and 
proven to correctly implement the fault-tolerant midpoint function. Other 
properties to be proven from the design include bounded interval, bounded 
delay, initial synchronization, non-overlap, and any assumptions made in 
establishing the properties of the convergence function. Bounded drift is a 
physical property of the oscillator and cannot be established formally. The 
value for drift will be taken from the oscillator s stated performance param- 
eters. It is assumed that the number of faults F is less than A/3, where 
A' denotes the number of clocks in the system. Read error will be assumed 
in this development, but there is ongoing work at SRI to prove that remote 
clocks can be read with bounded error. An approach for bounding initial 
skew will be verified for the single fault scenario and a more general solution 
will be explored. 

In keeping with the spirit of the Reliable Computing Platform, it is 
imperative that the clock synchronization subsystem provide for recovery 
from transient faults. This paper has argued that the proposed design will 
recover from a single transient fault. This argument will be formalized 
in Ehdm using an approach similar to that used by DiVito, Butler, and 
Caldwell for the RCP [4]. Extensions to accommodate the more general case 
will be developed, bill w'ould likely involve modifications to the design. An 
interesting feature of this design is that, for the single fault case ( i.e. 4, 5, or 6 
clocks), the properties of transient recovery and initial synchronization occur 
automatically. The clock system will recover without explicitly recognizing 
that something is amiss. The system can be augmented to recognize loss of 
synchrony due to a transient fault, but need not do so for recovery purposes. 
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A Proof Summary 

Notice that the only modules with failed proofs have the suffix _tcc. The se 
modules are automatically generated by Eli DM. and cannot be altered by 
the user. When a proof fails the user must prove the type check constraint 
elsewhere. The proof chain analysis (Appendix C) ensures that these obli- 
gations have been discharged. 

Proof summaries for modules on using chain of module mid.top 


Nodule mid4_tcc: 

Module mid3_tcc: 

Module mid2_tcc: 

Module mid.tcc; 

Module tcc.mid: 

Module division.tcc: 
Module natinduction.tcc: 
Module countmod.tcc : 
Module ft.mid. assume : 
Module clocksort: 

Module select.defs : 
Module mid: 

Module mid2: 

Module mid3: 

Module noetherian: 

Module natinduction: 
Module countmod : 

Module clockassumptions : 
Module absmod: 

Module division: 

Module multiplication: 
Module arrth: 

Module mid4: 

Module mid.top: 


1 successful 

8 successful 

2 successful 

2 successful 

9 successful 
7 successful 

1 successful 

3 successful 
no proofs 

no proofs 
6 successful 

2 successful 

2 successful 
9 successful 
1 successful 
5 successful 

30 successful 
9 successful 
15 successful 
11 successful 
11 successful 
no proofs 
9 successful 

3 successful 


proof , 
proofs, 
proofs, 
proofs , 
proofs , 
proofs, 
proof , 
proofs. 


proofs, 

proofs, 

proofs, 

proofs, 

proof , 

proofs, 

proofs , 

proofs, 

proofs, 

proofs, 

proofs, 

proofs, 
proofs , 


1 failure, 

0 

errors 

5 failures, 

0 

errors 

2 failures. 

0 

errors 

1 failure. 

0 

errors 

0 failures. 

0 

errors 

0 failures. 

b 

errors 

0 failures. 

0 

errors 

3 failures, 

0 

errors 

0 failures, 

0 

errors 

0 failures, 

b 

errors 

0 failures , 

o 

errors 

0 failures. 

0 

errors 

0 failures. 

0 

errors 

0 failures. 

0 

errors 

0 failures, 

0 

errors 

0 failures, 

0 

errors 

0 failures. 

0 

errors 

0 failures, 

b 

errors 

0 failures , 

b 

errors 

0 failures. 

0 

errors 

b failures. 

0 

errors 


Totals : 


146 successful proofs, 12 failures, 0 errors 


Total time: 715 seconds. 
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B IXTgX printed Eh dm Modules 

mid-top: Module 

Using mid4. countmod.tcc, natinduction.tcc, division.tcc. 
tcc.mid 

Theory 

Proof 

posint.TCCl.PROOF: Prove posint-TCCl {<1 — 1} 

countmod.T CC4_pr: Prove count_TCC4 from 
countsize, 

countsize {i — ( if i > 0 then / — 1 else i end if)} 

countmod.T CC5.pr: Prove count.T CC5 from 
countsize, 

countsize {t — ( if i > 0 then i — 1 else / end if)} 
End mid-top 
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countmod.tcc: Module 
Using countmod 
Exporting all with countmod 
Theory 
j'i : Var integer 

ppred: Var functionfnaturalnumber — boolean] 

j: Var naturalnumber 

p: Var naturalnumber 

k: Var naturalnumber 

n: Var naturalnumber 

dj: Var nk.type 

nk: Var nk.type 

nk2: Var nk.type 

j: Var naturalnumber 

posint.TCCl; Formula ( 3 »j : t‘i > 0) 

count.TCCl: Formula (» > 0) D (f — 1 > 0) 

count_TCC2: Formula ( ppred (/ - 1)) A ( / > 0) D (r - 1 > 0) 

count.TCC3: Formula (-i(ppred(r — 1 ))) A (» > 0) D (»' — 1 > 0) 

count.TCC4: Formula 
(ppred(t - 1)) A ( / > 0) 

D countsize( ppred, i) > countsize( ppred, i - 1) 

count_TCC5: Formula 
(~’(ppred(t - 1 ))) A (» > 0) 

3 countsize( ppred, t) > countsize( ppred, i - 1) 

Proof 

posint.TCCl. PROOF: Prove posint.TCCl 
count.TCCl.PROOF: Prove count.TCCl 
count.TCC2. PROOF: Prove count_TCC2 
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count.TCC3-PR00F: Prove count-TCC3 
count.TCC4.PR00F: Prove count-TCC4 
count.TCC5.PR00F: Prove count.TCC5 
End countmocLtcc 
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natinduction.tcc: Module 
Using natinduction 
Exporting all with natinduction 
Theory 

m: Var naturalnumber 
n: Var naturalnumber 
i: Var naturalnumber 
j: Var naturalnumber 
dj: Var naturalnumber 
ind.m.proof_TCCl: Formula 
{ if « > m then n - m else 0 end if > 0) 

Proof 

ind.m^roof.TCCl.PROOF: Prove ind_m_proof_TCCl 
End natinduction.tcc 
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division-tcc: Module 
Using division 

Exporting all with division 

Theory 

x: Var number 
y: Var number 
r: Var number 

mult.div.l.TCCl: Formula (z ^ 0) D (c / 0) 
mult.div.TCCl: Formula (y # 0) D (y ^ 0) 
div.cancel.TCCl: Formula (x ^ 0) D (x / 0) 
ceil.mult.div.TCCl: Formula ( y > 0) D {y ^ 0) 
div.nonnegative.TCCl: Formula (.r > 0 A y > 0) 3 {y ^ 0) 
div.ineq.TCCl: Formula (: > 0 Ai < y) D(- ^ 0) 
div_minus.l.TCCl: Formula (y > 0 A x < 0) D {y / 0) 
Proof 

mult.div.l.T CC1.PR00F: Prove mult.div.l.TCCl 
mult.div.TCCl.PROOF: Prove mult.div.TCCl 
div.cancel.TCCl -PROOF: Prove div.cancel.TCCl 
ceiLmult-div.TCCl-PROOF: Prove ceil.mult.div.TCCl 
div.nonnegative.T CC1.PR00F: Prove div.nonnegative.TC Cl 
div.ineq.TCCl. PROOF: Prove div.ineq.TCCl 
div.minus.l.TCCl.PROOF: Prove div.minus.l.TCCl 
End division.tcc 
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tcc_mid: Module 

Using mid.tcc. mid2_tcc. mid3.tcc. mid4.tcc 

Theory 

Proof 

ft_mid_TCC2.PR00F: Prove ft_mid_TCC2 from ft.mid_maxfaults 

goodJess.NF.TCCl.PROOF: Prove good.less.NF.TCCl from 
ft_mid_maxfaults 

good.less_NF_pr_TCCl_PROOF: Prove good_less.NF.pr.TCCl from 
ft_mid.maxfaults 

good.between.TCCl.PROOF: Prove good-between.TCCl from 
ft_mid_maxfaults 

ft_mid.prec.syml.T CC2.PR00F: Prove ft.mid.precjyml.TCC2 from 
ft_mid.maxfaults 

ft_mid.prec_syml_TCC4_PR00F: Prove ft_mid_prec.syml.TCC4 from 
ft.midjnaxfaults 

mid-gt_imp_sel.gt_TCC2-PR00F: Prove mid-gt.imp_sel_gt.TCC2 from 
ft_mid_maxfaults 

ft.mid_prec_syml.pr-TCC2-PR00F: Prove ft_mid_prec_syml.pr_TCC2 
from ft.mid.maxfaults 

ft.mid_greater.TCCl.PROOF: Prove ft. mid.greater.TCCl from 
ft.mid-maxfaults 

End tcc.mid 
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absmod: Module 
Using multiplication 
Exporting all 
Theory 

x.j /,c.x,.y,.r,.x 2 .j/ 2 .-- 2 : Var number 
| * 1 1 : Definition function[number — number] - 
( X x : ( if .r < 0 then - .r else x end if)) 

abs.main: Lemma |x| < x D (x < z V -x < z) 

abs.leq.O: Lemma \x - y\ < z D (x - y) < z 

abs.diff: Lemma \x - y\ < z D ((x - !/) < - V ( j/ - .r ) < ~) 

abs.leq: Lemma |x| < - D (x < z V -x < z) 

abs.bnd: Lemma 

0<:AO<xAr<2AO<!/As)<Ok-jl<*‘ 
abs.l.bnd: Lemma \x - y\ < z D x < y + c 
abs.2.bnd: Lemma \x - y\ < z D x > y - z 
abs.3-bnd: Lemma x < y + z K x >y-zD\x-y\<* 
abs.drift: Lemma 

|.r - y\ < : A |*i - x| < s\ D |*i - S/I < ~ + 
abs.com: Lemma |x - y\ = |y - *1 
abs.drift .2: Lemma 

|x — y\ < z A |xi - x| < z\ A |j/i - y\ < =2 
D |x] - 2/i | < x + z x + z 2 

abs_geq: Lemma x > y A y > 0 D |x| > |y| 

abs.geO: Lemma x > 0 D |x| = x 

abs.plus: Lemma |x + y\ < |x| + \y\ 
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abs_difF_3: Lemma x-y<zAy— 3 1 < : D |/ — y| < £ 


Proof 

abs_plus_pr: Prove ab$.plu$ from 

| * 1| {x — x + y), |* 1| , |* 1| {x — y} 

abs.difF.3_pr: Prove abs.difF_3 from | * 1| {,r — x — y} 

abs.geO-proof: Prove abs_geO from | * 1| 

abs.geq .proof: Prove abs-geq from | ■* 1| , | * 1| {x — y} 

abs.drift _2.proof: Prove abs.drift .2 from 
abs.drift, 
abs.drift 

- y, 
y - Vi. 

2 — C2, 

-i — - + ^i}, 

abs.com {x — yj} 

abs.com.proof: Prove abs.com from 

l*l| {* -(*-*)}. I*l| {* — (?-*)} 

abs.drift .proof: Prove abs.drift from 
abs.l-bnd, 

abs.lJjnd {a: — x lt y — x, z — ^ }, 
abs_2.bnd, 

abs.2_bnd {x — x x , y — x, - — xi}, 
abs.3.bnd {x — x x , s — * + - 1 } 

abs.3.bnd.proof: Prove abs.3.bnd from | * 1| {x — (x - y)} 

abs.main_proof: Prove abs.main from | * 1 1 

abs.leq.0.proof: Prove abs.leq.O from | * l| {x — x — y} 

abs_difF_proof: Prove abs.difF from | ★ 1| {x — (x - y)} 

abs_leq_proof: Prove abs.leq from | ★ 1 1 


30 


abs.bncLproof: Prove abs.bnd from | * 1| { r — (.r - y)} 
abs.l .bncLproof: Prove abs.l.bnd from | * J| {* — (•' - </)} 
abs.2.bnd.proof: Prove abs.2.bnd from | * 1| {r — U - </)} 
End absmod 
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multiplication: Module 
Exporting all 
Theory 

x.y.;'.r 1 ,y 1 ,zuT2*y2'=2- Var number 

*1 ★ *2: function[number, number — number] = ( A .r .y : (x * y)) 

mult Jdistrib: Lemma r + (y + :) = x *y + x * ~ 

multjdistrib.minus: Lemma x + (y-z) = x*y-x + z 

mult.rident: Lemma x * 1 = x 

mult Jident: Lemma 1 * x = x 

distrib: Lemma (x + y)* s = x * z + y * s 

dist rib.minus: Lemma ( x — y)*z = x + z — y*z 

mult.non_neg: Axiom 

((x>OAy>0)V(x<OAy<0))«>x*j/>0 
mult_pos: Axiom ((x>0Ay>0)V(x<0Aj/<0))'Ox*j/>0 
mult.com: Lemma x + y = y * x 
pos-product: Lemma x>0Ay>03x*y>0 
multjeq: Lemma 

mult Jeq_2: Lemma :>0Ax>yD:*x>:*j( 

mult JO: Axiom 0*x = 0 

mult.gt: Lemma :>0Ax>yDx*:>y*: 

Proof 

mult.gt_pr: Prove mult_gt from 

mult_pos {x — x - y, y «— r}, distrib.minus 
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distrib.minus.pr: Prove distrib.minus from 
mult Jdistrib.minus {x — y — x, - y }. 
mult.com {./ — x - y, y — 
mult.com { 1 / — c}, 
mult.com {3 — y, y — ;} 

mult.leq.2_pr: Prove mult_leq_2 from 

mult Jdistrib.minus {.r — z, y — x, : — y}, 
mult.non.neg {x — y — x — (/} 

mult.leq.pr: Prove muItJeq from 

distrib.minus, mult.non.neg {.r — x — y, y -} 

mult.com.pr: Prove mult.com from 
★1 * *2 , *1 * *2 {x y, y — x} 

pos_product_pr: Prove pos.product from mult.non.neg 

mult-rident.proof: Prove mult.rident from *1 **2 {y — 1} 

mult.lident. proof: Prove mult Jident from 
★1 ★ *2 {x — 1, y — x} 

distrib.proof: Prove distrib from 
★1 **2 {x — x + y, y — r}, 

★1 **2 {y — r}, 

★1 **2 {x — y, y — -} 

mult-ldistrib.proof: Prove mult.ldistrib from 

*1 * *2 {y — y + x — x}, *1 ★ *2 , *1 **2 {y — x} 

mult.ldistrib. minus.proof: Prove muItJdistrib.minus from 
★ 1 ★ *2 {y — y - x — x}, *1 * *2 , *1 **2 {y — c} 

End multiplication 
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noetherian: Module [dom: Type, <: function[dom, dom — boolj] 
Assuming 

measure: Var function [dom — nat] 
a. b: Var dom 

well-founded: Formula 

( 3 measure : a < b D measure(«) < measure! b)) 

Theory 

p.A.B: Var function [dom — bool] 
d. d\ . d 2 : Var dom 

general-induction: Axiom 

( Vdj : ( Vd 2 : d 2 < dj D p(d 2 )) D p(dj))p ( V d : p(d)) 

da,d 4 : Var dom 

modjnduction: Theorem 
( V <# 3 . *£4 : d 4 < D /4( </ 3 ) D A( d 4 ) ) 

A (Vd, : ( Vd 2 :d 2 <d x D (A(di) A B(d 2 ))) D B[d 2 )) 

D ( Vd : 4(d) D 5(d)) 

Proof 

mod-proof: Prove 

modjnduction {di — di@pl, da — di<&pl, d 4 — d 2 } 
from general-induction {p — (A d : /1(d) D 5(d))} 

End noetherian 
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select.defs: Module 

Using arith. countmod. clockassumptions. clocksort 
Exporting all with clockassumptions 
Theory 

process: Type is nat 

Clocktime: Type is number 

l.nun.p.q: Var process 

i)\ Var function [process — Clocktime] 

i.j.k: Var posint 

T,X,Y.Z: Var Clocktime 

function [function[process — Clocktime], posint 

— Clocktime] == ( A i). i : tf(funsort( 0 ){ /))) 

select.trans.inv: Lemma 

k < N D ( A q : i)(q) + -Y) ( jt) = %) + -V 

select.existsl: Lemma / < N D ( 3 p : p < N A fl(p) = 

select.exists2: Lemma p < N D ( 3 i : i < N A i)(p) = t?(,)) 

select_ax: Lemma 1 < i A i < k A k < A D 

count_geq_select: Lemma 

k < N D count(( A p: fl(p) > 0(*))*A T )> k 

count_leq_select: Lemma 

k < N D count( (A p: > #(/>)). N)>N — k+\ 

Proof 

select-transJnv.pr: Prove select.transJnv from 
funsortJransJnv 

select.existsl.pr: Prove select.existsl {p *- funsort (i?)(i)} 
from funsort.fun.I.l {j — i} 

select.exists2_pr: Prove select. exists2 {i from 

funsortjfun.onto 


select_ax_pr: Prove select.ax from 
funsort.ax {/' — i*&c, j — } 

count.leq.select.pr: Prove count Jeq.select from cnt.sort.leq 

count.geq.select.pr: Prove count_geq_select from cnt.sort.geq 

End select.defs 
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ft_mid_assume: Module 
Using clockassumptions 
Exporting all with clockassumptions 
Theory 

ft_mid_maxfaults: Axiom A > 3 * F + 1 
End ft_mid_assume 


37 



arith: Module 

Using multiplication, division, absmod 
Exporting all with multiplication, division, absmod 
End arith 
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clocksort: Module 

Using clockassumptions 

Exporting all with clockassumptions 

Theory 

l,m,n,p.q: Var process 

i.j. k: Var posint 

X. V: Var Clocktime 

i): Var function[process — Clocktime] 

funsort: function [function[process — Clocktime] 

— function [posint — process]] 

funsort.ax: Axiom 

j < j A; < A' D $(funsort( $){»)) > tf(funsort(t? )(./')) 

funsort.fun.1.1: Axiom 

i < X A j < X A funsort (?'/)(/') = funsort(i?)(j) 

3 i = j A funsort( <?)(»') < N 

funsort.fun.onto: Axiom 

p < X D ( 3 /' : i < N A funsort( (>)( i) = p) 

funsort.trans_inv: Axiom 

k< X D (tf(funsort(( A q : + X))(k)) = i?(funsort( #)(*))) 

cnt.sort_geq: Axiom 

k < X D count(( A p : i)(p) > tf(funsort(tf)( k))). X ) > k 

cnt.sort.leq: Axiom 

k < X D count(( A p : i>(funsort ( )( Ar ) ) > tf(p)).X ) > A - k + 1 

Proof 

End clocksort 
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cfockassumptions: Module 
Using arith. countmod 
Exporting all with countmod. arith 
Theory 
N: nat 

N.O: Axiom N > 0 

process: Type is nat 

event: Type is nat 

time: Type is number 

Clocktime: Type is number 

/,n).r*,j»,g.pi,p2.9i, 92, 413,43: Var process 

i.jA': Var event 

x. y. r. a, t : Var time 

A\ Y. Z, R. S . T: Var Clocktime 

Var function [process — Clocktime] 

/^« r n i a j, A. number 

PC\i{* 2 ), V'C*i(*2): function [process, time — Clocktime] 
/*f: function [process, event — time] 

0 *J: function [pr oces s, event 

— function [process — Clocktime]] 

I Cl i(* 3 ): function[process. event, time — Clocktime] 

correct: function [process, time — bool] 

em cfn: function [process. function[process — Clocktime] 

— Clocktime] 

jr: function [Clocktime, Clocktime — Clocktime] 
o : function [Clocktime — Clocktime] 

delta.O: Axiom 6 > 0 

mu.O: Axiom p > 0 

rho.O: Axiom p > 0 

rho_l: Axiom p < 1 

rmin.O: Axiom r min > 0 
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rmax_0: Axiom r maT > 0 
beta.0: Axiom i > 0 
lamb.O: Axiom A > 0 

init: Axiom correct( ;;. 0 ) 3 /V,i(0) > 0 A PC p (0) < /' 
correct-closed: Axiom s > 1 A correct! p.a) 3 correct (;;,/) 
rate.l: Axiom 

correct!;;. .«) A .“ > I 3 PC p ( *) - PC P (1 ) < + p) 

rate.2: Axiom 

correct! » ) A * > / 3 PC' P ( .* ) — PC P ( / ) — / ) * ( 1 — P ) 

rtsO: Axiom correct!;;./) A 1 < /], +1 3 / - / p < r maT 
rtsl: Axiom correct!;;, /) A / > / p +l 3 / ~ / p > r mi „ 
rts.O: Lemma correct!;;. / p +1 ) 3 / p +1 — < r maT 

rts.l: Lemma correct!;;. / p +1 ) 3 / p +1 ~ C p > r mm 
rts2: Axiom 

correct! p, /) A / > V q + /? A correct!^./) 3 / > / p 

rts.2: Axiom 

correct! p./j,) A correct! qj\) 3 f p - 1' q < 9 
synctime.O: Axiom / p = 0 
VCIock.defn: Axiom 

correct!;;, /) A / > t p A / < / p +1 3 i C p {i) = IC p (1 ) 

Adj: function [process, event — Clocktime] = 

(A p,i : 

( if i > 0 then cfn(p,0' p ) — ^ > C’ , p (/ p ) else 0 end if)) 
ICIock.defn: Axiom correct!;;./) 3 IC l p (t) = PC p (1) + Adj(p, i) 


41 


Readerror: Axiom 
correct! p. /[+ 1 ) A correct! </. /p +1 ) 

D\e i +'q)-IC i q [1 i +')\<A 

translation-invariance: Axiom 

A' > 0 D cfn(p. (A pi — Clocktime : 7(pi ) + A*)) = cfn(p.~, ) + A' 

ppred: Var function [process — bool] 

F: process 

okay-Readpred: function [function [process — Clocktime]. 

Clocktime, functionfprocess — bool] 

— bool] = 

( A 7, V, ppred: 

( V/,»n : ppred(/) A ppred(m) D |7(/) - 7 (m)l < 1 ”)) 

okay-pairs: function [function[process — Clocktime]. 

function [process — Clocktime], Clocktime, 
function [process — bool] — bool] = 

( A 7,0, A*, ppred : 

( Vp 3 : ppred (P3) D |7(p 3 ) - < A’ )) 

N-maxfaults: Axiom F < N 

precision_enhancement_ax: Axiom 
count( ppred, N) > N — F 

A okay.Readpredh , Y. ppred) 

A okay-Readpred ( 0 , Y\ ppred) 

Aokay_pairsb, 0 , A*. ppred) A ppred(p) A ppred(g) 

3 |c/n(p, 7 ) — cfn(qj) \ < ff(AM') 

correct-count: Axiom count(( A p : correct! p,/)), N) > N - F 
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okay.Reading: function[function[process — Clocktime]. 

Clocktime, time — bool] = 

(A : 

( V pi . c/i : 

correct! 77 . / ) A correct! q\.i) 3 ^ * )) 

okay.Readvars: function[function[process — Clocktime]. 

function [process — Clocktime]. 
Clocktime. Clocktime — bool] = 

( A 7 . 0. X. 1 : 

( V/>3 : correct^./) 3 | 7 ( )1 5; A )) 

okay.Readpred.Reading: Lemma 
okay. Reading! 7 . V. 0 

okav.Readpred! -),} ,( Aw: correct [p.t))) 


okay_pairs_Readvars: Lemma 
okay.Readvars! 7 . 6. X. I ) 

3 okay. pairs! -). (9. A\( A;> : correct! ji. /))) 

precision.enhancement: Lemma 
okay.Reading( 7 - V. /p +1 ) 

A okay. Reading! 0, V. fj , +1 ) 

A okay.Readvars! 7 , 0, A . f], +1 ) 

A correct! 77 t ‘ p +x ) A correct!^. 1 ' p +x ) 

3 \efn(p,~t)- cfn(<j,6 ) | < Jr(A\Y') 

okay .Reading. defn.lr: Lemma 
okay. Reading! 7 , 5 ',/) 

3 ( V 77 , <71 : 

correct! ;>i./) A correct! (jiJ) 3 |7(Pi) _ 7(9i)l ^ 5 ) 


okay.Reading.defn.rl: Lemma 

( Vpi,9i : 

correct!;^, /) A correct! q \ , /) 3 |7(Pi) — 7(<fi M — ^ ) 
3 okay.Reading( 7 .y',/) 

okay_Readvars.defn.lr: Lemma 
okay.Readvars! 7 , 0, A ,/ ) 

3 ( Vp 3 : correct(;> 3 . /) 3 1 7 ( P3 ) - #(P3)| < A ) 
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okay_Readvars_defn_rl: Lemma 

( Vp- 3 : correct(;> 3 . /) D 1 7 ( ) - #(P3)| < ) 

3 okay_Readvars( 7 , A\ / ) 

accuracy.preservation.ax: Axiom 
okay_Readpred(7. A. ppred) 

A count(ppred. N)> N — F A ppred(p) A ppred(g) 

D k/n(p,7) ~ 7(9)1 < »(-'") 

Proof 

okay.Reading_defn_rl.pr: Prove 

okay_Reading_defn_rl {pi — pi®PlS, q\ — r/i®PlS} from 
okay.Reading 

okay_Reading_defn_lr_pr: Prove okay.Reading.defn Jr from 
okay.Reading {pi — pi®CS, q\ — </i®C$} 

okay_Readvars.defn.rl.pr: Prove 

okay.Readvars_defn.rl {p-j — p 3 ®PlS} from okay.Readvars 

okay.Readvars.defn_lr.pr: Prove okay_Readvars.defn.lr from 
okay.Readvars {p 3 — p 3 ®CS} 

precision_enhancement_pr: Prove precision.enhancement from 
precision.enhancement.ax 

{ppred — ( A q : correct^, /J+ 1 ))}, 
okay.Readpred.Reading {t — <p +1 }, 
okay.Readpred. Reading {t — fp +1 , 7 — 9}, 
okay.pairs.Readvars {/ — fp +1 }, 
correct.count {/ — <p +1 } 

okay.Readpred. Reading.pr: Prove okay.Readpred.Reading from 
okay.Readpred {ppred — ( A p : correct(p,/))}, 
okay.Reading {pi — q\ — ro<§PlS} 

okay.pairs_Readvars.pr: Prove okay.pairs_Readvars from 
okay .pairs {ppred — ( Ap : correct(p,/))}, 
okay.Readvars {p 3 — p 3 ®PlS} 

rts.0.proof: Prove rts.O from rtsO {t — t'+ 1 } 
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rts-l-proof: Prove rts_l from rtsl {/ — fj, +1 } 


End clockassumptions 
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countmod: Module 
Exporting all 
Theory 
#i : Var int 

posint: Type from nat with ( A ij : /'i > 0 ) 

Var nat 

i.j. k: Var nat 
j '.y.z.r.s.t: Var number 
X.Y.Z: Var number 

ppred. ppredl. ppred 2 : Var function [nat — bool] 

iLO, 7: Var function[nat — number] 

countsize: function[function[nat — bool], nat — nat] = 

( A ppred, i : /) 

count: Recursive function [function [nat — bool], nat — nat] 
( A ppred, i : 

( if » > 0 

then ( if ppredf? - 1 ) 

then 1 + ( count( ppred, i - 1)) 
else count( ppred. i - 1 ) 
end if) 

else 0 
end if)) 
by countsize 

count.complement: Lemma 

count(( A q : ->ppred(</)), n) = n - count( ppred. 11) 

count.exists: Lemma 

count ( ppred. n) > 03 ( 3 p:jKnA ppred(;>)) 

count-true: Lemma count(( A p : true),n) = n 

count-false: Lemma count(( A p : false), n) = 0 

count.bounded.imp: Lemma 

count(( A p:p< nO ppred(p)), n) = count( ppred, n) 

count-bounded.and: Lemma 

count (( Ap : p < n A ppred(p)),n) = count( ppred, n) 
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pigeon.hole: Lemma 

count(ppredl. v ) + count(ppred2. 11 ) > v + k 
3 count(( A j> : ppredlf/;) A ppred2(/>)). n) > k 

predl,pred2: Var function[nat — bool] 

pred.extensionality: Axiom 

( V;> : predl(/>) = pred2(?>)) 3 predl = pred2 

nk.type: Type = Record »/ : nat. 

k : nat 

end record 

nk. nkl,nk2: Var nk.type 

nk.less: function[nk.type. nk.type — bool] == 

( A nkl, nk2 : nkl.jf + nkl.A- < nk2.» + nk2.A-) 

Proof 

Using natinduction. noetherian 

count.bounded.impO: Lemma 

k > 0 3 count(( Xp : p < k 3 ppred(7>)),0) = count(ppred,0) 

count.bounded.imp.ind: Lemma 

{k > n 3 count (( \p : p < k 3 ppred(/;)), n) 

= count (ppred, n)) 

3 (k > n + 1 

3 count(( X p ' p < k 3 ppred(p)).n + 1) 

= count(ppred, w + 1)) 

count-bounded. imp.k: Lemma 

{k > n D count (( Xp : p < k 3 ppred(/>)),n) 

= count(ppred, i > )) 

count.bounded.impO.pr: Prove count.bounded.impO from 
count {»' — 0}, 

count {ppred — ( Xp: p< k D ppred(/>)), i — 0} 

count. bounded_imp.ind.pr: Prove count.bounded.imp Jnd from 
count {» — v + 1}, 

count {ppred — ( Xp : p < k 3 ppred(p)), i — n + 1} 
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count_bounded.imp_k.pr: Prove count_bounded_imp_k from 
induction 
{prop 

— ( A n : 

k > 7? 

D count(( Xp:p< k D ppred(/;)), n) 

= count (ppred. 7?)), 

? — n}, 

count.bounded.impO, 

count. bounded.impJnd {n — j'&pl} 

count.bounded.imp-pr: Prove count.bounded.imp from 
count.bounded_imp.k {k — n) 

count.bounded.andO: Lemma 
k > 0 D count(( Xp: p < k A ppred(p)).0) = count(ppred.O) 

count.bounded.and.ind: Lemma 
(k > n D count (( Xp : p < k A ppred(p)), » ) = count(ppred. v )) 
D (k > n + 1 

0 count(( Xp : p < k A ppred(p)), n + 1) 

= count(ppred, n + 1)) 

count-bounded.and.k: Lemma 

(k > n D count (( Xp : p < k A ppred(p)), n) = count(ppred, r?)) 

count. bounded. andO.pr: Prove count.bounded.andO from 
count {» — 0}, 

count {ppred — ( Xp : p < k A ppred(p)), i — 0} 

count_bounded.and_ind.pr: Prove count.bounded.and.ind from 
count {i — 77 + 1 }, 

count {ppred — ( X p : p < k A ppred(p)), i — n + 1} 
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count_bounded.and.k_pr: Prove count.bounded.and.k from 
induction 
{prop 

— { A ?) : 

I: > ri 

D count(( A p : p < k A ppred(p)). 77) 

= count (ppred. 77 )), 

7 — 77}, 

count.bounded.andO, 
count-bounded. and.ind {77 — 

count-bounded. and.pr: Prove count.bounded.and from 
count.bounded.and.k {k — 77} 

count .false.pr: Prove count-false from 
count-true, 

count-complement {ppred — (A p : true)}, 
pred.extensionality 

{predl — ( A 77 : ->true), 
pred 2 — (A p : false)} 

ccO: Lemma count(( A q : ->ppred(r/)), 0 ) = 0 — count ( ppred. 0 ) 
cc.ind: Lemma 

(count(( A q : ^ppred (</)). 77) = n - count( ppred. 77)) 

Z> (count(( A q : ->ppred(r/)), 7 ? + 1 ) 

= 77 + 1 - count( ppred . 77 + 1 )) 

ccO-pr: Prove ccO from 

count {ppred — ( A q : -ippred(^)), i — 0 }, 
count {7 — 0 } 

ccjnd.pr: Prove cc.ind from 

count {ppred — ( \q : ->ppred(</)), t 7? + 1 }, 
count {7 — 77 + 1} 
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count_complement_pr: Prove count-complement from 
induction 
{prop 

— (An: 

count (( A q : -»ppred(g)), n) = n - count (ppred. ?»)), 
i — n}, 
ccO, 

cc.ind {n -r-jtip 1} 

instance: Module is noetherianfnk.type, nk Jess] 
nk.measure: function [nk.type — nat] == 

( A nkl : nkl.n + nkl. A) 

nk.well.founded: Prove well-founded {measure — nk.measure} 

nk.ph.pred: function [function[nat — bool], 

function[nat — bool], nk.type — bool] = 

( A ppredl. ppred2, nk : 

count ( ppredl. nk.» ) + count ( ppred2. nk.n ) > nk.n + nk.it 
D count(( A p : ppredl(p) A ppred2(p)), nk.n) > nk .k) 
nk.noeth.pred: function [function [nat — bool], 

functionfnat — bool]. nk_type 
— bool] = 

( A ppredl, ppred2, nkl ; 

( V nk2 i 

nk.less(nk2, nkl) D nk.ph_pred(ppredl,ppred2,nk2))) 
ph-casel: Lemma 

count(( A p : ppredl(p) A ppred2(p)).pred(>?)) > Ic 
D count(( A p : ppredl(p) A ppred2(p)), n) > k 

ph.casel.pr: Prove ph.casel from 
count {ppred — ( A p : ppredl(p) A ppred2(p)), i <— n} 

ph.case2: Lemma 

count(ppredl, pred(n)) + count ( ppred2, pred(n )) < pred(n) + k 
A count ( ppredl, n) + count(ppred2, n) > n + k 

A count(( A p : ppredl(p) A ppred2(p)), pred(n)) > pred(/:) 
D count(( A p : ppredl(p) A ppred2(p)). n) > k 
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ph.case2a: Lemma 

count( ppredl . pred( // ) ) + count(ppred 2 .pred(»)) < pred()/) + k 
A count (ppredl. // ) + count (ppred2. v ) > v + k 
3 ppredl(pred(i>)) A ppred2( pred( u )) 

ph.case2b: Lemma 

w > 0 A k > 0 

A count( ppredl . pred( v ) ) + count( ppred2, pred( n ) ) 

< pred(?i) + k 

A count( ppredl. n ) + count( ppred2. u) > n + k 
3 count( ppredl. pred(?;)) + count(ppred 2 . pred( v )) 

> pred( v) + pred(A-) 

ph.case2a.pr: Prove ph_case2a from 
count { ppred — ppredl, i — w). 
count {ppred — ppred 2 , i v) 

ph.case2b.pr: Prove ph_case2b from 
count {ppred — ppredl, i — »}, 
count {ppred — ppred 2 , i «■} 

ph_case2_pr: Prove ph.case2 from 

count {ppred — ( A p : ppredl(/j) A ppred2(p)), » — ?>}- 
ph.case 2 a 

ph.caseO: Lemma 

(n = 0 V k = 0) 

3 (count(ppredl.n) + count(ppred 2 ,n) > n + k 

3 count(( A p : ppredl(/>) A ppred2(p)). n) > k) 

ph.caseOn: Lemma 

(count( ppredl, 0 ) + count(ppred 2 , 0 ) > k 

3 count(( A p : ppredl(p) A ppred2(p)), 0) > k ) 

ph.caseOn.pr: Prove ph.caseOn from 
count {ppred — ppredl, i — 0 }, 
count {ppred — ppred 2 , i — 0}, 

count {ppred — ( A p : ppredl(p) A ppred2(p)), i — 0} 
ph.caseOk: Lemma count(( A p : ppredl(p) A ppred2(p)), n) > 0 
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ph.caseOk.pr: Prove ph.caseOk from 
nat.invariant 

{nat.var — count(( A p : ppredl(p) A ppred2(p)). n)} 

ph.caseO.pr: Prove ph.caseO from ph.caseOn, ph.caseOk 

nk.ph.expand: Lemma 

( Vn. It : 

(count) ppredl. pred(n)) + count) ppred2. pred(n)) 

> pred( /? ) + pred)/) 

D count(( A p : ppredl)/*) A ppred2(/*)).pred(n)) 

> pred)/-)) 

A (count) ppredl. pred) »)) + count)ppred2. pred(n)) 

> pred) n ) + k 

D count)) A p : ppredl)/*) A ppred2(/*)). pred) u )) 

>*) 

D ( count) ppredl, n) + count) ppred2, n) > n + Jt 
D count)) A p : ppredl(p) A ppred2(/*)), n) > Jt)) 

nk.ph.expand.pr: Prove nk.ph.expand from 

ph.caseO, ph.casel, ph.case2, ph_case2a, ph.case2b 

nk.ph.noeth.hyp: Lemma 
( V nkl : 

nk.noeth.pred) ppredl. ppred2. nkl ) 

D nk.ph_pred( ppredl, ppred2, nkl)) 

nk_ph_noeth_hyp_pr: Prove nk.ph.noeth.hyp from 
nk.ph.pred {nk — nkl}, 

nk.noeth.pred {nk2 — nkl with [(n) := pred) nkl.n)]}, 
nk.noeth.pred 

{nk2 — nkl with [(??) := pred) nkl. n),(k) := pred) nkl. A:)]}, 
nk.ph.pred {nk — nkl with [(n) := pred) nkl. ?»)]}, 
nk.ph.pred 

(nk — nkl with [(n) := pred(nkl.n), (k) := predfnkl. /•)]}, 
nk.ph.expand {n — nkl.n, k — nkl./:}, 
ph.caseO {n — nkl.n, k — nkl. A-}, 
nat.invariant (nat.var «— nkl.n}, 
nat.invariant {nat.var — nkl./:} 
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nk.ph Jem: Lemma nk_ph.pred{ ppred 1. ppred2. nk) 

nk.phJem.pr: Prove nk.phJem from 
general-induction 

_ ( A nk : nk-ph.pred(ppredl. ppred2. nk)), 
di — nk2U/A 
d — nkUf } , 

nk-ph.noeth-hyp {nkl — r/i'U'jd}, 
nk.noeth.pred {nkl — d\ 'd )>\ } 

pigeonJiole_pr: Prove pigeon-hole from 

nk.ph.lem {nk — nk with [(h) := k^r}}, 

nk.ph.pred {nk — nk'O/il} 

exists Jess: function[function[nat — bool].nat — bool] = 

( A ppred. w : ( 3p : p< » A ppred(/;))) 

count_exists_base: Lemma 

count(ppred.O) > 0 D exists Jess( ppred, 0) 

count.exists-base.pr: Prove count-exists.base from 
count {i — 0}, existsJess {h — 0} 

count-existsJnd: Lemma 

(count (ppred. n ) > 0 D exists_less( ppred, n)) 

D ( count( ppred. h + 1) > 0 D exists Jess( ppred. v + D) 

count.exists.ind.pr: Prove count _exists-ind from 
count {» — h + 1], 
existsJess, 
exists-less 
{n — ?? + 1» 

p _ ( if ppred(n) then n else end if)} 
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count.exists.pr: Prove count.exists {p — pkp4] from 
induction 
{prop 

— ( A n : count(ppred. v) > 0 D exists.less(ppred. n )), 
i — H'tir}, 
count.exists.base, 
count. exists.ind {»/ — j'Qpl}, 
exists. less {« — } 

count.base: Sublemma count (ppred.O) = 0 

count. base.pr: Prove count.base from count {/ — 0} 

count.true.ind: Sublemma 
( count( (A p : true ), » ) = n ) 

D count(( A p : true), n + 1) = n + 1 

count.true.ind.pr: Prove count.true.ind from 
count {ppred — ( A p : true), i — v + 1} 

count.true.pr: Prove count-true from 
induction 

{prop — (An: count(( A p : true), n) = n), 
i — n'&c}, 

count.base {ppred — ( A p : true)}, 
count.true.ind {n — 

End countmod 
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natinduction: Module 
Theory 

Ljs nu fi?j. ir. Var nat 

p. prop: Var function[nat — bool] 

induction: Theorem 

(prop(O) A ( V j : pro p(j) 3 prop(j + 1 ))) D prop(/) 
completeJnduction: Theorem 

( Vi :( Vj : j < i D p(j)) D p(i )) D ( Vw :^”)) 

induction.m: Theorem 

p( m ) A ( V / : / > m A />( / ) 3 />( / + 1 ) ) 

D ( V v : 7? > 777 3 p( it ) ) 

limitedJnduction: Theorem 

(77/ < 777 j 3 77(777)) A ( V i : ? > 777 A 7 < 777 ] A p(i) 3 p{i + 1)) 
3 ( V 7/ : 77 > 777 A 77 < 777 1 3 p { 77 ) ) 


Proof 

Using noetherian 

less: function[nat, nat — bool] == ( A 777. 77 : m < n) 

instance: Module is noetherian[nat, less] 
x: Var nat 

identity: function[nat — nat] == (A ?/ : n) 

discharge: Prove well-founded {measure — identity} 

complete Jnd-pr: Prove completeJnduction {? — dpQpl) from 
general-induction {d — 77 , r /2 — j) 

ind-proof: Prove induction {j — pred(rfi ( &;>l )} from 
generaLinduction {p — prop, d — i, di j} 
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incLm-proof: Prove inductions {/' — j<yp 1 + w) from 
induction 

{prop — (Ac: p@c(.r + tn)), 
i — if > in then 11 - m else 0 end if} 

limited_proof: Prove limited-induction {/ — Hspl) from 
induction.m {/; — ( A .r : x < w t j p@c(.r))} 


End natinduction 


division: Module 
Using multiplication, absmod 
Exporting all 
Theory 

x. y. z, .1']. yi . -i . xj. yi' ~2 '■ Var number 
[*1]: function[number — int] 

ceil.defn: Axiom |Y| > x A |\r"| - 1 < x 

mult.div.l: Axiom z^QDx*y/z=x*( y/z ) 

mult.div.2: Axiom r / 0 D x*y/z = ( x/z)*y 

mult_div_3: Axiom :^0D(:/:)=1 

mult.div: Lemma y ^ 0 D (x/y) * y - x 

div.cancel: Lemma x 0 J x ★ y/x = y 

div.distrib: Lemma z / 0 D ((a - + J /)/-) = ( x /~) + (y/~) 

ceil.mult.div: Lemma y > 0 D \x/y] *y > x 

ceil.plus.mult.div: Lemma pOD [x/yl + 1 * 1/ > * 

div.nonnegative: Lemma x>0Aj/>0D (x/y) > 0 

div.minus.distrib: Lemma 

: / 0 D ( x - y)/z = (x/z) - (y/z) 

div.ineq: Lemma ; > 0 A x < y D (x/x) < (y/z) 
abs.div: Lemma y > 0 D |x/y| = |x|/y 
mult.minus: Lemma y ^ 0 D -(x/y) = (-x/y) 
div.minus.l: Lemma y > OAj < 0 D (x/y) < 0 


Proof 


div.nonnegative.pr: Prove div.nonnegative from 

mult.non.neg {.r — ( if y ^ 0 then (x/y) else 0 end if)}, 
mult.div 

div.distrib.pr: Prove div.distrib from 
mult.div.l {x — x + y, y — 1, ; — c} t 
mult.rident {x — x + y}, 
mult.div.l {.7' — ,t , y — 1, r — r}, 
mult.rident, 

mult.div.l {x — y, y — 1, ; — c}, 
mult.rident {a- — y}, 

distrib {c — ( if s ^ 0 then (1/r) else 0 end if)} 

div.cancel.pr: Prove div.cancel from 
mult_div_2 {r — x}, 
mult_div_3 {c — xj, 
muitJident {x — y} 

mult.div.pr: Prove mult.div from 
mult_div_2 {x — y), 
mult.div.l {; — y}, 
mult.div.3 {; — y}, 
mult.rident 

abs_div_pr: Prove abs.div from 

| * 1| {x — ( if y / 0 then (x/y) else 0 end if)}, 

. 1*11 . 

div.nonnegative, 

div.minus.l, 

mult.minus 

mult.minus.pr: Prove mult.minus from 

mult.div.l {x 1, y — x, z y}, 

*1 **2 {x * 1, y — x}, 

★1 ★ ★ 2 : < — - • . 

{* — i. 

y — ( if y ^ 0 then (x/y) else 1 end if)} 
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div_minus_l-pr: Prove div_minus_l from 
mult_div, 
pos.product 

{ x — ( if y ^ 0 then ( x/y ) else 0 end if), 

y — //} 

div.minus.distrib.pr: Prove div.minus.distrib from 
div.distrib {y </}, mult.minus {x - y. y ~ -} 

div.ineq.pr: Prove div.ineq from 
mult.div {y — -}, 
mult.div {j r — y. y — -}. 
mult-gt 

{, r _ ( if - f 0 then ( :r / _ ) else 0 end if), 
y - ( if r / 0 then (y/=) else 0 end if)} 

ceiLplus.mult.div.proof: Prove ceil_plus.mult.div from 
ceil.mult.div, 
distrib 

{* _ [( if y ± 0 then (x/y) else 0 end if) | , 

y - i- 
- - y}. 

multjident {r — y) 

ceil.mult.div.proof: Prove ceil.mult.div from 
mult.div, 
muItJeq 

{ x _ f( if y f 0 then {x/y) else 0 end if) |, 
y — { if y 0 then (x/y) else 0 end if), 

~ — y} * 

ceil.defn {x — ( if y ^ 0 then (x/y) else 0 end if)} 
End division 
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mid.tcc: Module 
Using mid 

Exporting all with mid 
Theory 

ft.mid.TCCl: Formula (F + 1 > 0) 
ft.mid_TCC2: Formula (A'-F>0)A(A'-F>0) 
ft.mid.TCC3: Formula (2 ^ 0) 

Proof 

ft_mid.TCCl_PROOF: Prove ft.mid.TCCl 
ft_mid.TCC2.PR00F: Prove ft.mid.TCC2 
ft.mid.TCC3_PR00F: Prove ft_mid_TCC3 
End mid_tcc 
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mid2-tcc: Module 
Using mid2 

Exporting all with mid2 
Theory 

ppred: Var functionjnaturalnumber — boolean] 
p: Var naturalnumber 
good.greater_Fl.TCCl: Formula 

( ppredt/^)) A (count(ppred. A') > A’ - F) D (F + 1 >0) 

good.less.NF.TCCl: Formula 

( ppred (/>) ) A ( count (ppred. A’ ) > A' - F) 

D {N - F > 0) A (A 7 - F > 0) 

good.greater.Fl-pr.TCCl: Formula (F + 1 > 0) 
goodJess.NF.pr.TCCl: Formula ( A T - F > 0) A ( N - F > 0) 
Proof 

good_greater_Fl_TCCl.PROOF: Prove good.greater.Fl.TCCl 
good .less.NF.TCCl.P ROOF: Prove good.less.NF.TCCl 
good.greater.Fl.pr.TCCl.PR00F. Prove good.greater.Fl.pr.TCCl 
goodJess.NF.pr.T CC1.PR00F: Prove goodJess.NF.pr.TCCl 
End mid2.tcc 
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mid3_tcc: Module 
Using mid3 

Exporting all with mid3 

Theory 

A" : Var number 
Z: Var number 

ppred: Var function[naturalnumber — boolean] 
k: Var countmod.posint 

ppred2: Var function [naturalnumber — boolean] 
ppredl: Var function [naturalnumber — boolean] 

6: Var function [naturalnumber — number] 

7 : Var function [naturalnumber — number] 
q : Var naturalnumber 
Var naturalnumber 
P\\ Var naturalnumber 
p: Var naturalnumber 
q\ \ Var naturalnumber 
ft_mid_Pi_TCCl: Formula (2/0) 

good_geq_F.addl.TCCl: Formula 

(ppred(p)) A (count( ppred, A r ) > N - F) D (F + 1 > 0) 

okay_pair_geq_F_addl_TCCl: Formula 
(ppred(pj)) 

A ( count ( ppred. N) > N - F A okay_pairs( 0 , 7 , A', ppred)) 
D (F + 1 > 0) 

okay_pair_geq_F_addl_T CC2: Formula 
(ppred(gi)) 

A (9(pi ) > ^(F+i)) 

A (ppred(pi )) 

A (count( ppred, N)> N — F 

A okay_pairs( 0, 7 , A', ppred )) 

D (F+ 1 > 0) 
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goocLbetween.T CCl: Formula 

(l(F+i) > */(/»)) A (ppred (]>)) A (count(ppred, A ) > A - F) 
3 (A' - F > 0) A (A' - F > 0) 

ft_mid-prec_syml-TCCl: Formula 
(okay -Read pred(-) . Z. ppred)) 

A ( okay.Readpred( 0. Z. ppred ) ) 

A ( okay_pairs( 9. 7 . A ' . ppred ) ) 

A (count(ppred. A" ) > A’ - F) 

3 (F+ 1 > 0) 

ft-mid-prec-syml-T CC2: Formula 
(okay.Readpred(-j . Z. ppred)) 

A (okay_Readpred(0. Z, ppred)) 

A ( okay.pairs( 6. 7 . A . ppred ) ) 

A ( count ( ppred, A T ) > N — F) 

3 (A' - F > 0) A (A 7 - F > 0) 

ft-mid-prec.syml.TCC3: Formula 
(count(ppred. A 7 ) > N - F 

A okay_pairs(fl. 7 , A\ ppred) 

A okay.Readpred(0, Z. ppred) 

A okay_Readpred( 7 , Z. ppred) 

A ((0(F+1) + 0(A'-F)) 

> (7(F+1) + T(N-F)))) 

3 (F + 1 > 0) 

ft-mid-prec.syml.TCC4: Formula 
(count( ppred, A 7 ) > A — F 

A okay_pairs(fl, 7 , A’, ppred) 

A okay_Readpred($, Z, ppred) 

A okay.Readpred( 7 . Z, ppred) 

A ((0(F+1) + 0(A'-F)) 

> (7(F+D + 7(N-F)))) 

3(A t -F>0)A(A 7 -F>0) 

mid-gt.imp.sel_gt.TCCl: Formula 

i(cfn MID (p,e) > cfn M1D (q,-i))) 3 (F+ 1 > 0) 
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mid_gt_imp.sel-gt-TCC2: Formula 

D (A 7 - F > 0) A (A* - F > 0) 

ft_mid_prec_syml_pr_TCCl: Formula (F + 1 >0) 
ft.mid_prec_syml.pr.TCC2: Formula (A" - F > 0) A (A T - F > 0) 
Proof 

ft mid.Pi.TCCl.PROOF: Prove ft.mid.Pi.TCCl 

good_geq_F_addl.TCCl-PROOF: Prove good_geq_F.addl.TCCl 

okay_pair_geq_F_addl_TCCl_PR00F: Prove 
okay_pair_geq_F_addl.T CC1 

okay_pair.geq_F_addl_T CC2.PR00F: Prove 
okay_pair_geq_F.addl.TCC2 

good.between.TCCl.PROOF: Prove good.betvveeq.TCCl 
ft-mid-prec_syml.TCCl-PROOF: Prove ft_mid.prec_syml_TCCl 
ft_mid.prec_syml.TCC2_PR00F: Prove ft_mid.prec_syml_TCC2 
ft_mid_prec_syml-TCC3-PR00F: Prove ft_mid_prec_syml_TCC3 
ft.mid_prec_syml.TCC4_PR00F: Prove ft_mid_prec_syml_TCC4 
mid.gt_imp_sel_gt_TCCl-PR00F: Prove mid_gt_imp_sel_gt_TCCl 
mid-gt_imp_sel-gt_TCC2-PR00F: Prove mid_gt.imp_sel.gt.TCC2 
ft_mid.prec_syml_pr_TCCl_PR00F: Prove ft_mid_prec.syml_pr.TCCl 
ft_mid_prec_syml_pr_TCC2_PR00F: Prove ft_mid_prec_syml_pr_TCC2 
End mid3.tcc 
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mid4_tcc: Module 
Using mid4 

Exporting all with mid4 
Theory 

q: Var naturalnumber 

p: Var naturalnumber 

y : Var number 

x: Var number 

pi : Var naturalnumber 

ft.mid.less.TCCl: Formula (F + 1 > 0) 

ft.mid.greater.TCCl: Formula (A 7 - F > 0) A (A - F > 0) 
Proof 

ft.mid.less.TCCl.PROOF: Prove ft_mid.less.TCCl 
ft-mid-greater.TCCl-PROOF: Prove ft.mid^reater.TCCl 
End mid4_tcc 
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mid: Module 


Using arith. clockassumptions. select.defs. ft-mid.assume 

Exporting all with select.defs 

Theory 

process: Type is nat 

Clocktime: Type is number 

I, m. n. p. q : Var process 

ih Var function [process — Clocktime] 

Var posint 

T,X,Y,Z: Var Clocktime 

c f n M ID' function[process.function[process — Clocktime] 

— Clocktime] = 

( Ap , d : 

ft _mid_trans_inv: Lemma 

c f n MID(V - ( * 9 = ^(9) + -V)) = cfn^u D (p, 1 ?) + A' 

Proof 

add.assoc.hack: Lemma A’ + Y + Z + Y = (A’ + Z) + 2 ★ 5 r 

add.assoc.hack.pr: Prove add.assoc.hack from 
★1 *+2 {x — 2, y — V} 
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ft.mid_trans_inv_pr: Prove ft.mid.transJnv from 
c/»a//p • 

cf<>M ip — ( A <i : iHq) + A )}. 

selectmans Jnv {k — F+ 1}, 
select.transJnv {/.‘ — A — F}, 
add.assoc.hack 

{A' — tf(F+l). 

Z — »?(A'_F), 

y- a }. 

div.distrib 

{.r — («'/(F+l) + ^(K-F) )> 

y — 2* X, 

-- 2 }, 

div.cancel {.r — 2, y — A }, 
ft.mid-maxfaults 

End mid 
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mid2: Module 

Using arith. clockassumptions. mid 
Exporting all with mid 
Theory 

Clocktime: Type is number 

m . n . p. </, pi . </i : Var process 

i.j, k. 1: Var posint 

x. y. .. r. s, t : Va r time 

D. X, Y. Z , R, S. T : Var Clocktime 

tU, 0. 7 : Var function[process — Clocktime] 

ppred, ppredl,ppred2: Var function [process — bool] 

good_greater_Fl: Lemma 

count(ppred. N) > N — F 3 ( 3p : ppred(p) A i?(p) > t?(/r +1 )) 

goodJess.NF: Lemma 

count(ppred. A 7 ) > N - F D ( 3p : ppred (p) A t 9(p) < d(;v-F)) 

Proof 

good_greater.Fl.pr: Prove good greater. FI {p — p'§>p3} from 
count.geq^elect {k — F+ 1}, 
ft_mid_maxfaults, 
count. exists 

{ppred — ( A pi : ppredl®p4(p! ) A ppred2®p4(p! )), 
n -N), 
pigeon.hole 

{ppredl — ppred, 
ppred2 — ( Api : t?(pi) > t? (F+1) ), 
n- N, 

*- 1} 
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good .less. NF.pr: Prove good.less-NF {p — }>"pZ} from 
count. leq.select {k — A - F), 
ft.mid.maxfaults, 
count.exists 

{ppred — ( Xpi : ppredl©p4(j;, ) A ppred2®p4(^ )), 

n — A 7 }, 

pigeon.hole 

{ppredl — ppred, 

ppred2 — ( A y>j : ^ t Hpi)). 

n - y, 

A-- J} 

End mid2 


69 


mid3: Module 

Using arith. clockassumptions. mid 2 
Exporting all with mid 2 
Theory 

Clocktime: Type is number 
m.v.p.q.pi.q] -. Var process 
i.j.k.l: Var posint 
x. y, r, s. t: Var time 
D. A , V, Z. R, S. T: Var Clocktime 

7 : Var function[process — Clocktime] 
ppred. ppredl. ppred2: Var function [process — bool] 
ft_mid.Pi: function[Clocktime, Clocktime — Clocktime] == 
( A A\ Z : Z/2 + X ) 

exchange.order: Lemma 
ppred(p) 

A ppred(</) 

A 6(q)<8{p) 

A 7 (P) < 7 ( 9 ) Aokay_pairs( 0 , 7 .A',ppred) 
=>|0(P)- 7(9)1 <-Y 

good.geq_F.addl: Lemma 
count( ppred, N) > N - F D (3 p: ppred(p) A 1 9(p) > 

okay-pair.geq-F.addl: Lemma 

count( ppred, N) > N — F A okay_pairs(0. 7 . A*, ppred) 

3 ( 3 pi . 91 : 
ppred (pi) 

A 0(pi ) > 0{F+ 1) 

A ppredf^) 

A 7(9i) > 7(F+i) A |0(pi)- 7(9 i)I < A') 

good.between: Lemma 
count( ppred, A r ) > N - F 

3(3 P : PPred(p) A 7 (F+1) > 7(p) A 9(p) > 9 (N _ F) ) 



ft_mid-precision_enhancement: Lemma 
ppred( />) 

A ppred(r/) 

A count(ppred. A ) > A — F 
A okay _pairs( 0, 7 , A . ppred ) 

A okay.Readpred( 0. Z. ppred ) 

A okay.Readpred(-) , Z. ppred) 

3 kM/inO'-*) " rf'KuwUl-' ) )l < ftjnid_Pi(A’.Z) 

ft_mid_prec-enh_sym: Lemma 
ppred(p) 

A ppred (r/) 

A count( ppred. A ) > A — F 
A okay_pairs(0. ‘ . A , ppred) 

A okay.Readpred(0. Z. ppred) 

A okay.Readpred(') . Z. ppred) 

A ( r /»A/;f>(P'0) > 7)) 

3 - r /»M /£>(?' 7 )l - ft_mid_Pi(A.Z) 

ft_mid_prec.syml: Lemma 
count( ppred. N)> N - F 

A okay_pairs(0, 7 . A', ppred) 

A okay-Readpred(0, Z, ppred) 

A okay. Rea dpred(-) , Z, ppred) 

A ( ( $(F+1 ) + @{N-F) ) 

> (7(F+1) + 7(*-F))) 

3 |(^(F+1) + 0(A’-F)) ~ (7(F+1) + 7(A T — F) )l 

< Z + 2 * A 

mid_gt Jmp_sel_gt: Lemma 

- c f n MlD^H' 7)) 

3 ((0(F+1) + 0(N-F)) ^ (7(F+1) + l(N-F))) 

okay_pairs_sym: Lemma 

okay_pairs( 0 , 7 , A , ppred) D okay_pairs( 7 - 0, A, ppred) 
Proof 
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ft_mid_prec.$yml_pr: Prove ft_mid_prec_syml from 
good.between, 
okay_pair_geq_F_addl, 
goodJess.NF {if — 7 }, 
abs.geq 

{♦r — ( 7 (<fi®p 2 ) - ~ (}>'<$ pi)) + ( 0 (p<ip \ ) - 7(y/Uy>l)) 

+ (8(p x @p2) - 7(r/i@p2)), 

V 

~ (^(F-H) + 0(A f -F)) “ (7(F+1) + 7(\-F))}» 

abs.plus 

~ (7(</i©p2) - 7 (p^pi)) + (0(/^y>l ) - l(p^pl)), 
y — (0(y>i@p2) - 7(91 ®p2))}, 

abs.plus 

{ * — ( 7 ( tfi ®p2 ) - 7 ( p^pi ) ) , 
y ~ (8(pi'pl) - -i(p'<*pl))}, 
okay .pairs {7 — 0, 0 — 7, p 3 — p^p\} t 
okay.Readpred 

{7 - 7* 

V - Z f 

I — <yi@p2, 

77? — jVk'pi], 

distrib { .?* - — 1 , y — 1 , c — A* } , 
mult Jident {.r — A’ } 

mid.gtJmpj;eLgt_pr: Prove mid_gtJmp_seLgt from 

c f n MlD 

cf",\nD {^ — 7. P — </}. 

mult Jeq 

{j- — rfnfti JD {p,0), 

y ~ 

= -■ 2 ), 

mult.div {x — (0 {F + ,) + 0 { k- F )), y — 2}, 
mult.div {.r — b (F+I) + 7(A'-F>). V ~ 2} 
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ft.mid_prec-enh_sym.pr: Prove ft.mid-prec.enh.sym from 

r f u MID ~ 

r f v MW — • P ~~ ( 1 )> 

div.mmus.distrib 

{x — (0(F+1) + 0(A-F))> 

.V ~ (7(F+l) + 1< S-F))> 

= ->}. 

abs.div 

{.r — ( 9( F+ 1 ) + &IK-F)) ~ ( 7 ( F+ 1 ) + ” (A'-F) )> 

J/ - 2}- 

ft.mid_prec.syml, 

mid-gt_imp_sel_gt, 

div.ineq 

{x - |(0 ( f+1) + 8(S :-F») - h(F+i) + 7(A T -F) )l> 
y — Z + 2* A\ 
c-2}. 

div.distrib {x — Z, y — 2 * A , c — 2}, 
div.cancel {x — 2 , y — A } 

okay-pairs-syrri-pr: Prove okay_pairs _sym from 
okay-pairs {7 — 0 , 0 — 7 - P3 — pa®p 2 }, 
okay-pairs {7 — 0, 9 — 9 ), 
abs.com {x — ^(;^0p2), t/ — 7(p3®p2)} 

ft.mid_precision.enhancement_pr: Prove 
ft.mid.precision.enhancement from 
ft_mid.prec_enh.sym, 
ft_mid.prec_enh.sym 
{p — </%>l , 
q — p'U'pl , 

6 — -,®pl, 

7 — 0®pl}, 
okay.pairs.sym, 

abs.com {x — cfn MlD (p, 0 ), y — 
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okay_pair_geq_F_addl_pr: Prove 
okay_pair_geq_F_addl 

{/'i — I )) 

then p"i >2 

elsif ) > ~i{p u l>2)) then p+*p J else p^p.i 

end if, 

U\ 

— if (0(p*'’p2) > ff(p"p \ )) 
then pup’! 

elsif (-} (/;'<!■// 1 ) > 7 (p l{t p2)) then p'* p\ else 
end if} from 
good.geq.F.addl {rV — 0 ), 
good.geq_F.addl {t't — 7 } f 
exchange-order { p — p'<Vp 1 , */ — /^17/J} , 
okay.pairs {7 — 6, 0 — 7, />j — p\} f 
okay.pairs {7 — 0, 0 — 7, 7/3 — p«\p 2 } 

good.geq_F.addl.pr: Prove good.geq.F.addl {/;*— 7/M7/I} from 
count.exists 

{ppred — ( A /> : ((ppredl U//2)/;) A ((ppred2 ( * 7 ^ 2 )/j)), 

7? — A } , 
pigeon. hole 

{// — jV, 

A- - 1, 

ppredl — ppred, 

ppred 2 — ( \p : 0(p) > )}, 

count.geq.select {A* — F+ I}, 
ft.mid.maxfaults 
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good.between.pr: Prove good.between {/' — /'Ml from 
count.exists 

{ppred — { Xp : ( ( pp Te61<‘:p'2)p) A ((ppred2 ,( i//2)p)), 

n - -V}, 

pigeon.hole 

{n — N, 

k - 1, 

ppred 1 — ( Xp : (( ppred l'*tpZ)p) A ( ( ppred2'U‘/;3 )p)), 
ppred2 — ( Xp : 9(p) > 0((H»p4)))}. 

pigeon.hole 

{» - N, 

k — 

ppred 1 — ppred, 

ppred2 — ( A p: T(( > *; (/'))}. 
count.geq.select {t? — 9, k — A — F}, 
count.leq-select {9 — 7. k — F +1}, 
ft-mid.maxfaults 

exchange.order.pr: Prove exchange-order from 
okay .pairs {”) — 9, 6 — 7, P 3 — ?'}. 
okay .pairs {-) — 0, 9 — 7, P 3 — </}• 
abs.geq {x — (0(/>) — *>■ ( ) ) . y — 9(p) — 7(g)}> 
abs.geq { 3 : — ( 7 ( 9 ) - 0(</)). V ~ 7(g) _ 0(P)}- 
abs.com {.r — 0(g), y — 7(g)}- 
abs.com {t — 9{p), y — 7(g)} 

End mid3 
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Using arith. clockassumptions. mid3 
Exporting all with clockassumptions, mid3 
Theory 

process: Type is nat 
Clocktime: Type is number 
w. n.//. <y./;j.r/|: Var process 
i.j. k: Var posint 
//, c. r. a. /: Var time 
D , A\ )\ Z, /?, .V. 7 : Var Clocktime 
7/,0,7: Var functionfprocess — Clocktime] 
ppred. ppredl. ppred2: Var function [process — bool] 

ft_mid = accuracy preservation: Lemma 
ppred(//) 

A ppred (f/) 

A count ( ppred. A ) > A 7 - / A okay_Readpred( iK A . ppred) 
^ l f /"A/ //>(/'• <>) - '>('/)! 1 Y 

ft_midJess: Lemma r f n \ni)(i K 0) < 

fLmid.greater: Lemma u)(]>< i‘7) > 1 ^s-F) 

abs.qJess: Lemma 
count( ppred. A T ) > N - / 

3 ( 3;>i : ppred^j ) A i)(p } ) < rfn MN) {p , 0)) 

abs_q_greater: Lemma 
count(ppred. A') > N - F 

D (3 Pi : ppred( ]>\ ) A t7(;>, ) > <'fn MU) (p. if)) 

ft_mid.bnd_by_good: Lemma 
count ( ppred, F )> N - F 

3 ( 3 ?>i : 

ppred(;>,) A |r/n A///> (/M7)- 0(r/)| < ) - ?7(r/)j ) 

maxfaultsJem: Lemma F + 1 < A T - F 
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ft .select: Lemma > <>{K-F) 

Proof 

ft .select. pr: Prove ft_select from 

select.ax { i — / + 1, k — A — F], maxfaultsJem 

maxfaultsJem.pr: Prove maxfaultsJem from ft.mid_maxfaults 

ft_mid_bnd.by_good.pr: Prove 
ft_mid.bnd_by_good 

{/'i — ( if cfn hllD (p.i>) > t>(<i) 
then />i®pl 
else )>] ®p2 
end if)} from 
abs.q.greater, 
abs.qJess, 

abs.com {.r — y — tf(pi®c)}, 

abs.com {a - — y — cfn^j jjjip.it)}, 

abs.geq {■>' — x i1, /j3 — y'QpZ, y — x‘%p4 — y^ip4}, 
abs-geq {r - tf(/J)®c) - *>(</). U — c f n hflD^P - I? ) “ 

abs.qJess.pr: Prove abs.q.less — pispl) from 
good.less.NF, ft_mid.greater 

abs.q.greater_pr: Prove abs.q.greater {pi — p^pl) from 
good.greater.Fl, ft_mid.less 

mult.hack: Lemma X + A' = 2 * A' 

mult.hack.pr: Prove mult.hack from *1 **2 {j — 2, y — A 

ft.mid_less.pr: Prove ft.mid.less from 

c f n MlD - 

ft .select, 

div.ineq 

{x — («V+l) + ,? (A l-F))’ 

y — (^(F+l) + ,? (F+1))> 

~~ - 2}. 

div.cancel {r — 2, y — ) } - 

mult.hack {A' — ^(F+i)} 


ft.mid_greater_pr: Prove ft,mid_greater from 

r f u MlD * 
ft_select, 

divJneq 

{ r — ( + &{S-F))f 
// — ( ^(F- f I) + ’))» 

div. cancel {./■ — 2, // — rf(A'-F)}» 
mult.hack {A* — i^a'-F)} 

ft_mid_acc.pres_pr: Prove ft_micLaccuracy_preservation from 
ft-mid_bnd_by_good, 
okay^Readpred 

{7 - 
Y - X, 

I — />j@pl, 

m — 


End mid4 
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C Proof Chain Status 

C.l Translation Invariance 

Terse proof chain for proof ft.mid.trans.inv.pr in module mid 

Use of the formula 
mid.ft.mid 

requires the following TCCs to be proven 
mid. tcc . f t.mid.TCCl 
mid. tcc . f t.mid.TCC2 
mid.tcc , f t_mid.TCC3 

Use of the formula 
division . div.distrib 

requires the following TCCs to be proven 
div is ion. tcc .mult.div.l.TCCl 
division. tcc .mult. div. TCC1 
division. tcc . div. cancel. TCC 1 
division. tcc . ceil.mult.div.TCCl 
division. tcc . div. nonnegative. TCC1 
division. tcc . div.ineq.TCCl 
division. tcc . d iv. minus. 1. TCC 1 

SSB8 »«8H»« S » SUMMARY === 3 =r==«==«==== 

The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort .f unsort. trans.inv 
division . mult. div. 1 
division .mult. div. 2 
division.mult.div_3 
ft .mid. assume . f t .mid.maxf aults 

Total: 5 

The definitions and type-constraints are: 
mid , ft. mid 
multiplication. mult 
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Total: 2 


The formulae used are: 
division .div. cancel 
division .div.distrib 
division.tcc . ceil.mult.div.TCCl 
division.tcc .div. cancel. TCC1 
division.tcc . div.ineq.TCCl 
division.tcc . di v .minus. 1. TCC 1 
division.tcc . div.nonnegative.TCCl 
division.tcc .mult.div.l.TCCl 
division.tcc .mult.div.TCCl 
mid . add.assoc.hack 
mid.tcc .ft.mid.TCCl 
mid.tcc .ft.mid.TCC2 
mid.tcc .f t_mid.TCC3 
multiplication . distrib 
multiplication. mult. lident 
multiplication .mult. rident 
select. defs . select. trans.inv 

Total: 17 

The completed proofs are: 
division .div. cancel. pr 
division . div.distrib.pr 
division. tcc . ceil.mult_div.TCCl. PROOF 
division.tcc . div.cancel.TCCl. PROOF 
division. tcc .div.ineq.TCCl.PROOF 
division.tcc . di v .minus. 1. TCC 1. PROOF 
division.tcc . div.nonnegative.TCCl. PROOF 
division.tcc .mult. div. 1. TCC 1. PROOF 
division.tcc . mult.div.TCCl. PROOF 
mid . add. assoc. hack.pr 
mid.ft.mid.trans_inv.pr 
mid.tcc . f t. mid. TCC 1. PROOF 
mid.tcc .f t. mid. TCC3. PROOF 
multiplication . distrib.proof " 
multiplication .mult.li dent. proof 
multiplication .mult. rident. proof 
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select.def s . select_trans_inv_pr 
tcc_mid . f t_mid_TCC2_PR00F 
Total: 18 


C.2 Precision Enhancement 

Terse proof chain for proof ft_mid_precision_enhancement_pr in module mid3 

Use of the formula 

mid3 . f t_mid_prec_enh_sym 

requires the following TCCs to be proven 
mid3_tcc .ft_roid_Pi_TCCl 

mid3_tcc . good_geq_F_addl_TCCl 
mid3_tcc .okay_pair_geq_F_addl_TCCl 
mid3_tcc . okay_pair_geq_F_addl_TCC2 
mid3_tcc .good_between_TCCl 
mid3_tcc .ft_mid_prec_syml_TCCl 
mid3_tcc . f t_mid_prec_syml_TCC2 
mid3_tcc.ft_mid_prec_syml_TCC3 
mid3_tcc .ft_mid_prec_syml_TCC4 
mid3_tcc .mid_gt_imp_sel_gt_TCCl 
mid3_tcc .mid_gt_imp_sel_gt_TCC2 
mid3_tcc . f t_mid_prec_syml.pr_TCCl 
mid3_tcc .ft_mid_prec_syml_pr_TCC2 

Use of the formula 
mid.ft.mid 

requires the following TCCs to be proven 
mid_tcc . f t_mid_TCCl 
mid_tcc .f t_mid_TCC2 
mid.tcc ,ft_mid_TCC3 

Use of the formula 

division. div_minus_distrib 

requires the following TCCs to be proven 
division_tcc .mult_div_l_TCCl 
division.tcc .mult_div_TCCl 
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division. tcc . div_ cancel. TCC 1 
division. tcc . ceil .mult. div.TCCl 
division. tcc . div. nonnegative. TCCi 
division. tcc . div.ineq.TCCl 
div is ion. tcc . d i v. minus. 1. TCCI 

Use of the formula 

countmod . count. exists 
requires the following TCCs to be proven 
countmod. tcc . posint.TCCl 
countmod. tcc . count.TCCl 
countmod.tcc . count. TCC2 
countmod. tcc . count. TCC3 
countmod. tcc . count. TCC4 
countmod. tcc . count. TCCS 

Formula countmod.tcc . count. TCC4 is a termination TCC for countmod . count 
Proof of 

countmod.tcc . count. TCC4 
must not use 
countmod . count 

Formula countmod.tcc . count. TCCS is a termination TCC for countmod. count 
Proof of 

countmod.tcc . count. TCCS 
must not use 
countmod . count 

Use of the formula 

natinduction . induction 
requires the following TCCs to be proven 
natinduction. tcc . ind.m. proof .TCC1 

Use of the formula 

noetherian [naturalnumber , natinduction, less] .general .induct ion 
requires the following assumptions to be discharged 

noetherian [naturalnumber, natinduction. less] .well. founded 

Use of the formula 
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noetherian [countmod. nk.type, countmod. nk_less] .general.induction 
requires the following assumptions to be discharged 

noetherian[countmod.nk_type, countmod.nk_less] .well_founded 

Use of the formula 
mid2 . good. less. NF 

requires the following TCCs to be proven 
mid2_tcc . good. greater. F1.TCC1 
mid2_tcc . good.less.NF.TCCl 
mid2_tcc . good.greater.Fl.pr.TCCl 
mid 2 .tcc.good_less.NF.pr.TCCl 

S «»» S38SS »» SS SUMMARY ==========="«=== 

The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort . cnt.sort.geq 
clocksort . cnt.sort.leq 
di vis ion. mult .div.l 
divis ion. mult _div_2 
division .mult. div. 3 
f t.mid. assume .ft.mid.maxfaults 
multiplication .mult. non. neg 
multiplication. mult. pos 

noether ian [EXPR , EXPR] .general.induction 
Total: 9 

The definitions and type-constraints are: 
absmod . abs 

clockas sumptions . okay.Readpred 

clockassumptions . okay .pairs 

countmod . count 

countmod . counts ize 

countmod. exists. less 

countmod . nk.noeth.pred 

countmod . nk.ph.pred 

mid. f t.mid 

mult ipl icat ion . mult 
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\naturalnumbers .nat. invariant 
Total: 11 


The formulae used are: 
absmod * abs.com 
absmod . abs.geq 
absmod . abs.plus 
countmod . count.exists 
countmod . count. exists. base 
countmod . count. exists. ind 
countmod . nk.ph. expand 
countmod . nk.ph. lem 
countmod . nk.ph. noeth. hyp 
countmod .ph.caseO 
countmod . ph.caseOk 
countmod . ph.caseOn 
countmod ,ph. easel 
countmod . ph.case2 
countmod . ph.case2a 
countmod . ph_case2b 
countmod . pigeon.hole 
countmod. tcc . count .TCC1 
countmod. tdc . count _TCC2 
countmod. tcc . count. TCC3 
countmod. tcc . count. TCC4 
countmod. tcc . count. TCC5 
countmod. tcc . posint.TCCl 
division . abs.div 
division . div.cancel 
division .div.distrib 
division . div.ineq 
division , div.minus. 1 
division . div.minus. distrib 
division . div.nonnegative 
division .mult. div 
division .mult. minus 
division. tcc . ceil.mult.div.TCCl 
div is ion. tcc . div.cancel .TCC1 
division. tcc . div.ineq.TCCl 
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division.tcc . div_minus_ 1_TCC1 

division.tcc . div_nonnegative_TCCl 

division.tcc .mult_div_l_TCCl 

division.tcc .mult_div_TCCl 

mid2 . good.less.NF 

mid2.tcc.good_greater_Fl_TCCl 

mid2_tcc .good_greater_Fl_pr_TCCl 

mid2_tcc . good_less_NF_TCCl 

mid2_tcc . good_less_NF_pr_TCCl 

mid3 . exchange.order 

mid3 . f t_mid_prec_enh_sym 

mid3.ft_mid_prec_syml 

mid3 . good.between 

mid3 . good_geq_F_addl 

mid3 .mid_gt.imp_sel_gt 

mid3 . okay_pair_geq_F_addl 

mid3 . okay.pairs.sym 

mid3_tcc .ft_mid_Pi_TCCl 

mid3_tcc . f t_mid_prec_syml_TCCl 

mid3_tcc . f t_mid_prec_syml_TCC2 

mid3_tcc . f t_mid_prec_syml_TCC3 

mid3_tcc . f t_mid_prec_syml_TCC4 

mid3_tcc . f t_mid_prec_syml_pr_TCCl 

mid3_tcc . f t_mid_prec_syml_pr_TCC2 

mid3_tcc . good.between.TCCl 

mid3_tcc . good_geq_F_addl_TCCl 

mid3_tcc .mid_gt_imp_sel_gt_TCCl 

mid3_tcc .mid_gt_imp_sel_gt_TCC2 

mid3_tcc . okay_pair_geq_F_addl_TCCl 

mid3_tcc . okay_pair_geq_F_addl_TCC2 

mid_tcc.ft_mid_TCCl 

mid.tcc . ft_mid_TCC2 

mid.tcc .ft_mid_TCC3 

multiplication . distrib 

mult ipl icat ion . di strib.minus 

multiplication. mult _ com 

multiplication.mult.gt 

multiplication.mult_ldistrib_minus 

multiplication. mult.leq 
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multiplication .mult.l ident 
multiplication .mult_r ident 
multiplication . pos_product 
natinduction . induction 
natinduction.tcc . ind_m_proof _TCC1 

noetherian [countmod . nk.type , countmod . nk-less] . well-founded 
noetherian [naturalnumber, natinduction . less] .well-founded 
select-def s . count-geq_select 
select-def s . count.leq-Select 

Total: 83 

The completed proofs are: 
absmod . abs-coni-proof 
absmod . abs-geq. proof 
absmod . abs.plus-pr 
countmod . count-exists_base_pr 
countmod . count„exists_ind-pr 
countmod . count-exists-pr 
countmod .nk-ph-expand_pr 
countmod . nk-ph-lem.pr 
countmod . nk-ph-noeth-hyp-pr 
countmod . nk-well-f ounded 
countmod . ph-caseO-pr 
countmod . ph_caseOk_pr 
countmod . ph.caseOn ~pr 
countmod . ph- cas e 1 -pr 
countmod .ph-Case2-pr 
countmod . ph_case2a_pr 
countmod .ph-case2b_pr 
countmod .pigeon_hole-pr 

countmod-tcc . count-TCCl-PROOF \ 

countmod-tcc . count-TCC2-PR00F 

countmod-tcc . count-TCC3-PR00F 

division . abs-div.pr 

division . div-cancel-pr 

division.div-distrib-pr 

division. div-ineq-pr 

division . div.minus-l-pr 

division. div„minus-distrib-pr 
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division . div.nonnegative.pr 

division «mult_div_pr 

division .mult .minus _pr 

division. tcc . ceil_mult.div.TCCl. PROOF 

division.tcc . div.cancel.TCCl.PROOF 

division_tcc.div_ineq_TCCl_PROOF 

division.tcc .div.minus.l.TCCl.PROOF 

division.tcc . div.nonnegative.TCCl.PROOF 

division.tcc .mult .div.l.TCCl .PROOF 

division.tcc . mult .div.TCCl. PROOF 

mid2.good_less_NF_pr 

mid2_tcc.good_greater.Fl_TCCl_PR00F 
mid2_tcc .good.greater.Fl.pr.TCCl.PROOF 

mid3 . exchange.order.pr 
mid3 . ft_mid_prec.enh_sym.pr 
mid3 . ft.mid_prec_syml.pr 

mid3 .ft.mid_precision_enhancement.pr 

mid3 . good.between.pr 

mid3 . good.geq_F_addl.pr 

mid3 .mid_gt_imp_sel_gt_pr 

mid3 . okay.pair_geq_F_addl.pr 

mid3 . okay.pairs_sym.pr 

mid3_tcc.ft_mid_Pi_TCCl_PR00F 

mid3_tcc.ft_mid_prec_syml_TCCl_PR00F 

mid3_tcc . f t_mid_prec_syml_TCC3_PR00F 

mid3_tcc.ft_mid_prec_syml_pr.TCCl_PR00F 
mid3_tcc .good.geq.F.addl.TCCl.PROOF 
mid3_tcc.mid_gt_imp_sel_gt_TCCl_PR00F 
mid3_tcc . okay .pair _geq_F.addl_TCCl_PROOF 
mid3_tcc . okay_pair_geq_F_addl_TCC2_PR00F 
mid.tcc .ft.mid.TCCl.PROOF 
mid.tcc . f t_mid_TCC3_PR00F 
mid.top . countmod_TCC4_pr 
mid.top . countmod_TCC5_pr 
mid.top .posint.TCCl.PROOF 
multiplication.distrib_minus_pr 
multiplication .distrib.proof 
multiplication .mult.com.pr 
multiplication. mult.gt.pr 


multiplication .mult. ldistrib.minus .proof 
multiplication .mult. leq.pr 
multiplication .mult. lident .proof 
multiplication .mult. rident .proof 
multiplication .pos.product.pr 
natinduct ion . discharge 
natinduction . ind. proof 
natinduction.tcc . ind.m.proof _TCC1. PROOF 
select.def s . count. geq.select.pr 
select. defs . count. leq. select. pr 
tcc.mid . f t_mid_TCC2. PROOF 
tcc.mid . ft.mid.prec.syml.TCC2. PROOF 
tcc.mid .ft. mid. prec.symi.TCC4. PROOF 
tcc.mid . f t.mid.prec.syml _pr.TCC2. PROOF 
tcc.mid . good.between.TCCl. PROOF 
tcc.mid .good.less.NF.TCCl. PROOF 
tcc.mid .good. less. NF.pr.TCCl. PROOF 
tcc.mid .mid. gt. imp. sel_gt.TCC2. PROOF 
Total : 84 


C.3 Accuracy Preservation 

Terse proof chain for proof ft.mid.acc.pres.pr in module mid4 

Use of the formula 

mid4 .ft.mid.bnd.by.good 

requires the following TCCs to be proven 
mid4.tcc .f t. mid. less. TCC1 
mid4.tcc . ft.mid_greater.TCCl 

Use of the formula 
mid2 . good. greater. FI 

requires the following TCCs to be proven 
mid2_tcc . good.greater.Fl.TCCl 
mid2_tcc .good.less.NF.TCCl 
mid2_tcc . good. greater. FI. pr.TCCl 
mid2_tcc .good.less. NF.pr.TCCl 
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Use of the formula 

countmod . count. exists 
requires the following TCCs to be proven 
countmod. tcc .posint.TCCl 
countmod. tcc . count. TCC1 
countmod. tcc . count. TCC2 
countmod.tcc . count .TCC3 
countmod.tcc , count_TCC4 
countmod.tcc . count. TCC5 

Formula countmod.tcc . count „TCC4 is a termination TCC for countmod . count 
Proof of 

countmod.tcc . count_TCC4 
must not use 
countmod . count 

Formula countmod.tcc. count _TCC5 is a termination TCC for countmod . count 
Proof of 

countmod.tcc . count. TCCS 
must not use 
countmod . count 

Use of the formula 

nat induct ion. induction 
requires the following TCCs to be proven 
natinduction.tcc . ind.m.proof _TCC1 

Use of the formula 

noetherian [naturalnumber , natinduction.less] .general .induct ion 
requires the following assumptions to be discharged 

noetherian [naturalnumber, natinduction.less] .well.founded 


Use of the formula . . , 

noetherian [countmod. nk.type, countmod. nk.less] .general.induction 
requires the following assumptions to be discharged 

noetherian [countmod. nk.type, countmod. nk.less] .well.founded 

Use of the formula 
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mid. ft. mid 

requires the following TCCs to be proven 
mid.tcc .ft.mid.TCCl 
mid.tcc .ft_mid_TCC2 
mid.tcc . f t _mid.TCC3 

Use of the formula 
division .div.ineq 

requires the following TCCs to be proven 
division. tcc .mult.div.l.TCCl 
division.tcc .mult.div.TCCl 
division.tcc . div.cancel.TCCl 
division. tcc . ceil.mult_div.TCCl 
division.tcc . div.nonnegative.TCCl 
division.tcc . div.ineq.TCCl 
division.tcc . div. minus. 1.TCC1 

================== SUMMARY 

The proof chain is complete 

The axioms and assumptions at the base are: 
clocksort . cnt.sort.geq 
clocksort . cnt.sort.leq 
clocksort . f unsort. ax 
division.mult.div.l 
division .mult_div_2 
di vis ion. mult. div_3 
ft.mid. assume . f t.mid.maxf aults 
multiplication .mult.pos 
noetherian[EXPR> EXPR] .general. induct ion 

Total: 9 

The definitions and type-constraints are: 
absmod . abs 

clockassumptions . okay.Readpred 
countmod . count 
countmod . count size 
countmod . exists.less 
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countmod . nk.noeth.pred 
countmod . nk.ph.pred 
mid.f t.mid 
multiplication. mult 
naturalnumbers .nat .invariant 

Total: 10 

The formulae used are: 
absmod.abs.com 
absmod. abs.geq 
countmod . count. exists 
countmod . count. exists. base 
countmod . count. exists. ind 
countmod . nk.ph.expand 
countmod . nk.ph.lem 
countmod . nk.ph.noeth.hyp 
countmod . ph.caseO 
countmod . ph.caseOk 
countmod . ph.caseOn 
countmod .ph. easel 
countmod . ph.case2 
countmod . ph.case2a 
countmod . ph.case2b 
countmod . pigeon. hole 
countmod. tcc . count. TCC1 
countmod. tcc . count. TCC2 
countmod.tcc . count. TCC3 
countmod. tcc . count .TCC4 
countmod.tcc . count _TCC5 
countmod.tcc .posint.TCCl 
division. div. cancel 
division. div.ineq 
division. mult. div 
division. tcc . ceil.mult.div.TCCl 
division. tcc .div. cancel.TCCl 
division. tcc .div.ineq.TCCl 
division.tcc . div.minus_l.TCCl 
division. tcc . div.nonnegative.TCCl 
division.tcc .mult.div.l.TCCl 
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division. tcc .mult.div_.TCCl 

mid2 . good.greater _F 1 

mid2 .good.less.NF 

mid2_tcc . good.greater_Fl_.TCCl 

raid2.tcc . good. great er_Fl.pr.TCCl 

mid2.tcc .good. less. NF.TCC1 

mid2.tcc .good. less. NF.pr.TCCl 

mid4 . abs.q.greater 

mid4.abs_q_less 

mid4 . f t _mid.bnd.by.good 

mid4. ft. mid. greater 

mid4,ft_mid_l ess 

mid4 . ft. select 

mid4.maxfaults.lem 

mid4. mult. hack 

mid4.tcc.ft_mid_greater.TCCl 

mid4_tcc . f t. mid. less. TCC1 

mid.tcc .f t.mid.TCCl 

mid.tcc . f t.mid_TCC2 

mid.tcc . ft.mid.TCC3 

multiplication . distrib. minus 

multiplication.mult.com 

multiplication .mult. gt 

multiplication .mult. Id istrib. minus 

multiplication .mult. lident 

multiplication .mult.rident 

nat induct ion . induction 

natinduction.tcc . ind.m. proof _TCC1 

noetherian[countmod.nk_type, countmod.nk.less] . well.f ounded 
noetherian[naturalnumber , nat induction. less] .well. founded 
select. defs . count. geq.select 
select. def s . count. leq. select 
select. defs . select. ax 
Total : 64 

The completed proofs are: 
absmod . abs.com. proof 
absmod . abs.geq.proof 
countmod . count. exists.base.pr 
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countmod . count.exists.ind.pr 
countmod . count.exists.pr 
countmod . nk.ph_expand.pr 

countmod .nk.ph.lem.pr 

countmod . nk_ph_noeth.hyp.pr 

countmod . nk.well.f ounded 

countmod . ph.caseO.pr 

countmod . ph.caseOk.pr 

countmod . ph.caseOn.pr 

countmod. ph.casel.pr 

countmod . ph_case2_pr 

countmod . ph_case2a_pr 

countmod . ph.case2b.pr 

countmod . pigeon.hole.pr 

countmod. tcc . count _TCC1. PROOF 

countmod. tcc * count. TCC2. PROOF 

countmod. tcc . count .TCC3.PR00F 

division . div. cancel. pr 

division . div.ineq.pr 

division. mult. div.pr 

division. tcc . ceil. mult.div.TCCl. PROOF 

divis ion. tcc .div. cancel.TCCl. PROOF 

division. tcc . div.ineq.TCCl.PROOF 

division.tcc .div.minus.l.TCCl.PROOF 
division.tcc . div.nonnegative.TCCl.PROOF 
division.tcc. mult.div.l.TCCl.PROOF 
division.tcc . mult. div. TCC1. PROOF 

mid2 . good. greater. FI. pr 

mid2 .good. less. NF.pr 

mid2_tcc . good. greater. F1.TCC1.PR00F 

mid2_tcc . good. greater. Fi.pr.TCCl.PROOF 

mid4 . abs_q.greater.pr 

mid4 . abs.q.less.pr 

mid4 .ft.mid.acc.pres.pr 

mid4.ft_mid_bnd_by_good.pr 

mid4 . f t.mid.greater.pr 

mid4 .f t.mid.less.pr 

mid4.ft.select.pr 

mid4 .maxf aults.lem.pr 
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mid4.mult_hack.pr 
mid4.tcc . f t.mid.less.TCCl.PROOF 
mid.tcc .ft. mid. TCC 1. PROOF 
mid.tcc .ft.mid_TCC3. PROOF 
mid. top . countmod.TCC4.pr 
mid. top . countmod_TCC5_pr 
mid.top .posint.TCCl. PROOF 
multiplication , distrib.minus.pr 
multiplication .mult.com.pr 
multiplication .mult. gt.pr 
multiplication .mult .ldistrib. minus, proof 
multiplication .mult. lident. proof 
multiplication .mult .rident .proof 
nat induction . discharge 
nat induct ion. ind. proof 
nat induct ion. tcc . ind.m.proof .TCC1.PR00F 
select, defs . count. geq. select. pr 
select. def s . count, leq, select, pr 
select, def s . select. ax.pr 
t cc, mid. ft. mid, TCC2, PROOF 
tcc.mid. ft .mid, great er.TCCl .PROOF 
tcc.mid . good. less.NF. TCC 1. PROOF 
tcc. mid .good. less. NF.pr. TCC 1. PROOF 
Total: 65 
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